array_slice treats large lengths incorrectly

Bug #28974	array_slice treats large lengths incorrectly
Submitted:	2004-06-30 16:59 UTC	Modified:	2004-07-11 23:32 UTC
From:	tomas_matousek at hotmail dot com	Assigned:
Status:	Closed	Package:	Arrays related
PHP Version:	5.0.0RC3	OS:	WinXP
Private report:	No	CVE-ID:	None

[2004-06-30 16:59 UTC] tomas_matousek at hotmail dot com

Description:
------------
If offset + length > MAX_INTEGER then array_slice function returns wrong results (obviously overflows soume integer in its implementation).


Reproduce code:
---------------
$a = array(0,1,2,3,4,5);

// this is ok:   
print_r(array_slice($a,2,2147483645));

// this is wrong:
print_r(array_slice($a,2,2147483646));


Expected result:
----------------
Array
(
    [0] => 2
    [1] => 3
    [2] => 4
    [3] => 5
)
Array
(
    [0] => 2
    [1] => 3
    [2] => 4
    [3] => 5
)


Actual result:
--------------
Array
(
    [0] => 2
    [1] => 3
    [2] => 4
    [3] => 5
)
Array
(
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-07-11 23:32 UTC] andrey@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

  The same kind of overflow appeared and was fixed in array_splice(), substr(), substr_replace(), strspn() and strcspn(). Fixed in 4.3.x and 5.0.0-dev