From 38cfd6ad8dfc1bdb602993a138537de569a5ccab Mon Sep 17 00:00:00 2001
From: Michael Wallner <mike@php.net>
Date: Wed, 23 Mar 2005 13:11:19 +0000
Subject: [PATCH] - improved range checking

---
 http_api.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/http_api.c b/http_api.c
index ff7468d..3760d31 100644
--- a/http_api.c
+++ b/http_api.c
@@ -286,7 +286,7 @@ static int check_tzone(char *tzone)
 char *pretty_key(char *key, size_t key_len, zend_bool uctitle, zend_bool xhyphen)
 {
 	if (key && key_len) {
-		int i, wasalpha;
+		unsigned i, wasalpha;
 		if (wasalpha = isalpha(key[0])) {
 			key[0] = uctitle ? toupper(key[0]) : tolower(key[0]);
 		}
@@ -1159,7 +1159,8 @@ PHP_HTTP_API http_range_status _http_get_request_ranges(HashTable *ranges, size_
 					{
 						/* "0-12345" */
 						case -10:
-							if (length <= end) {
+							/* "0-", "0-0" or overflow */
+							if (end == -1 || end == -10 || length <= end) {
 								return RANGE_ERR;
 							}
 							begin = 0;
@@ -1167,7 +1168,8 @@ PHP_HTTP_API http_range_status _http_get_request_ranges(HashTable *ranges, size_
 
 						/* "-12345" */
 						case -1:
-							if (length <= end) {
+							/* "-", "-0" or overflow */
+							if (end == -1 || end == -10 || length <= end) {
 								return RANGE_ERR;
 							}
 							begin = length - end;
@@ -1178,6 +1180,11 @@ PHP_HTTP_API http_range_status _http_get_request_ranges(HashTable *ranges, size_
 						default:
 							switch (end)
 							{
+								/* "12345-0" */
+								case -10:
+									return RANGE_ERR;
+								break;
+								
 								/* "12345-" */
 								case -1:
 									if (length <= begin) {
-- 
2.30.2