1 files changed, 55 insertions, 0 deletions

diff --git a/bug71906.patch b/bug71906.patch
new file mode 100644
index 0000000..6a29692
--- /dev/null
+++ b/bug71906.patch
@@ -0,0 +1,55 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From f8dd10508bd66b6eefb18d319577b443fb1e0c55 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Mar 2016 01:22:37 -0700
+Subject: [PATCH] Fixed bug #71906: AddressSanitizer: negative-size-param (-1)
+ in mbfl_strcut
+
+---
+ ext/mbstring/libmbfl/mbfl/mbfilter.c | 34 +++++++++++++++++-----------------
+ main/php_version.h                   |  6 +++---
+ 2 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
+index 3b14727..4986472 100644
+--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
++++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
+@@ -1501,7 +1501,7 @@ mbfl_strcut(
+ 		if (encoding->flag & (MBFL_ENCTYPE_WCS2BE | MBFL_ENCTYPE_WCS2LE)) {
+ 			from &= -2;
+ 
+-			if (from + length >= string->len) {
++			if (length >= string->len - from) {
+ 				length = string->len - from;
+ 			}
+ 
+@@ -1510,14 +1510,14 @@ mbfl_strcut(
+ 		} else if (encoding->flag & (MBFL_ENCTYPE_WCS4BE | MBFL_ENCTYPE_WCS4LE)) {
+ 			from &= -4;
+ 
+-			if (from + length >= string->len) {
++			if (length >= string->len - from) {
+ 				length = string->len - from;
+ 			}
+ 
+ 			start = string->val + from;
+ 			end   = start + (length & -4);
+ 		} else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) {
+-			if (from + length >= string->len) {
++			if (length >= string->len - from) {
+ 				length = string->len - from;
+ 			}
+ 
+@@ -1539,7 +1539,7 @@ mbfl_strcut(
+ 			start = p;
+ 
+ 			/* search end position */
+-			if ((start - string->val) + length >= (int)string->len) {
++			if (length >= (int)string->len - (start - string->val)) {
+ 				end = string->val + string->len;
+ 			} else {
+ 				for (q = p + length; p < q; p += (m = mbtab[*p]));
+-- 
+2.1.4
+