php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67043 substr_compare falsely reports equality on negative offset
Submitted: 2014-04-08 09:40 UTC Modified: 2014-04-09 06:54 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: php at kirk dot at Assigned: datibbaw
Status: Closed Package: Strings related
PHP Version: 5.5.11 OS: any
Private report: No CVE-ID:
 [2014-04-08 09:40 UTC] php at kirk dot at
Description:
------------
Since version 5.5.11 a substr_compare with a negative 3rd parameter (=offset, thus it should start counting from the end of the string) incorrectly reports equality.

See http://3v4l.org/8co5P

I believe the bug could have been introduced in this commit: https://github.com/datibbaw/php-src/commit/e292391b3899ed2d80a8f44dc94074d68328c6ea

What caught my eye is the introduced cast to an unsigned integer but I don't know if this really is the source of the bug.

Workaround: specify a length (absolute value of the negative offset)

Test script:
---------------
var_dump(substr_compare("template", "_emplate", -8));
var_dump(substr_compare("template", "_emplate", -8, 8));

Expected result:
----------------
int(21)
int(21)

Actual result:
--------------
int(0)
int(21)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-08 09:53 UTC] php at kirk dot at
-Operating System: OS X +Operating System: any
 [2014-04-08 09:53 UTC] php at kirk dot at
Saw this bug on multiple OSes, therefore changing OS to any.
 [2014-04-08 17:54 UTC] aharvey@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: datibbaw
 [2014-04-08 17:54 UTC] aharvey@php.net
That does appear to be the relevant commit, per a git bisect.

Tjerk, can you have a look at this, please?
 [2014-04-08 23:44 UTC] datibbaw@php.net
-Status: Assigned +Status: Closed
 [2014-04-08 23:44 UTC] datibbaw@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Noob mistake on my part. Updated the test case to also test the aspect of substr_compare() that deals with no explicit length given.
 [2014-04-09 06:54 UTC] php at kirk dot at
That was fast. thanks!
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Apr 26 19:01:43 2017 UTC