From e617f03066ce81d26f56c06d6bd7787c7de08703 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 29 Dec 2018 14:17:23 +0100
Subject: Fix #77367: Negative size parameter in mb_split

When adding the last element to the result value of `mb_split`, the
`chunk_pos` may point beyond the end of the string, in which case the
unsigned `n` would underflow.  Therefore, we check whether this is the
case in the first place, and only calculate `n` otherwise.  Since `n`
is no longer used outside the block, we move its declaration inside.
---
 ext/mbstring/php_mbregex.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'ext/mbstring/php_mbregex.c')

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 68922b6966..85219b00e4 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -1238,7 +1238,6 @@ PHP_FUNCTION(mb_split)
 	size_t string_len;
 
 	int err;
-	size_t n;
 	zend_long count = -1;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
@@ -1296,8 +1295,8 @@ PHP_FUNCTION(mb_split)
 	}
 
 	/* otherwise we just have one last element to add to the array */
-	n = ((OnigUChar *)(string + string_len) - chunk_pos);
-	if (n > 0) {
+	if ((OnigUChar *)(string + string_len) > chunk_pos) {
+		size_t n = ((OnigUChar *)(string + string_len) - chunk_pos);
 		add_next_index_stringl(return_value, (char *)chunk_pos, n);
 	} else {
 		add_next_index_stringl(return_value, "", 0);
-- 
cgit v1.2.1