Fix bug #76390 - do not allow invalid strings in range()

php · Jun 5, 2018 · 73bf238 · 73bf238
1 parent 5bf8032
commit 73bf238
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 6 deletions.
diff --git a/ext/standard/array.c b/ext/standard/array.c
@@ -2099,10 +2099,18 @@ PHP_FUNCTION(range)
 	}
 
 	if (zstep) {
-		if (Z_TYPE_P(zstep) == IS_DOUBLE ||
-			(Z_TYPE_P(zstep) == IS_STRING && is_numeric_string(Z_STRVAL_P(zstep), Z_STRLEN_P(zstep), NULL, NULL, 0) == IS_DOUBLE)
-		) {
+		if (Z_TYPE_P(zstep) == IS_DOUBLE) {
 			is_step_double = 1;
+		} else if (Z_TYPE_P(zstep) == IS_STRING) {
+			int type = is_numeric_string(Z_STRVAL_P(zstep), Z_STRLEN_P(zstep), NULL, NULL, 0);
+			if (type == IS_DOUBLE) {
+				is_step_double = 1;
+			}
+			if (type == 0) {
+				/* bad number */
+				php_error_docref(NULL, E_WARNING, "Invalid range string - must be numeric");
+				RETURN_FALSE;
+			}
 		}
 
 		step = zval_get_double(zstep);
@@ -2242,6 +2250,10 @@ PHP_FUNCTION(range)
 		}
 
 		lstep = step;
+		if (step <= 0) {
+			err = 1;
+			goto err;
+		}
 
 		Z_TYPE_INFO(tmp) = IS_LONG;
 		if (low > high) { 		/* Negative steps */

diff --git a/ext/standard/tests/array/range_errors.phpt b/ext/standard/tests/array/range_errors.phpt
@@ -27,6 +27,8 @@ var_dump( range(1) );  // No.of args < expected
 var_dump( range(1,2,3,4) );  // No.of args > expected
 var_dump( range(-1, -2, 2) );  
 var_dump( range("a", "j", "z") );
+var_dump( range(0, 1, "140962482048819216326.24") );
+var_dump( range(0, 1, "140962482048819216326.24.") );
 
 echo "\n-- Testing Invalid steps --";
 $step_arr = array( "string", NULL, FALSE, "", "\0" );
@@ -78,11 +80,17 @@ bool(false)
 Warning: range(): step exceeds the specified range in %s on line %d
 bool(false)
 
+Warning: range(): Invalid range string - must be numeric in %s on line %d
+bool(false)
+
 Warning: range(): step exceeds the specified range in %s on line %d
 bool(false)
 
+Warning: range(): Invalid range string - must be numeric in %s on line %d
+bool(false)
+
 -- Testing Invalid steps --
-Warning: range(): step exceeds the specified range in %s on line %d
+Warning: range(): Invalid range string - must be numeric in %s on line %d
 bool(false)
 
 Warning: range(): step exceeds the specified range in %s on line %d
@@ -91,9 +99,9 @@ bool(false)
 Warning: range(): step exceeds the specified range in %s on line %d
 bool(false)
 
-Warning: range(): step exceeds the specified range in %s on line %d
+Warning: range(): Invalid range string - must be numeric in %s on line %d
 bool(false)
 
-Warning: range(): step exceeds the specified range in %s on line %d
+Warning: range(): Invalid range string - must be numeric in %s on line %d
 bool(false)
 Done