81 lines
2.4 KiB
Diff
81 lines
2.4 KiB
Diff
From 0f79b1bf301f455967676b5129240140c5c45b09 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Mon, 20 Jan 2020 21:33:17 -0800
|
|
Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex
|
|
|
|
---
|
|
ext/standard/string.c | 6 ++---
|
|
ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
|
|
2 files changed, 35 insertions(+), 3 deletions(-)
|
|
create mode 100644 ext/standard/tests/file/bug79099.phpt
|
|
|
|
diff --git a/ext/standard/string.c b/ext/standard/string.c
|
|
index da51cd0966fc..fb44cc505d9d 100644
|
|
--- a/ext/standard/string.c
|
|
+++ b/ext/standard/string.c
|
|
@@ -4866,7 +4866,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
|
|
if (state == 4) {
|
|
/* Inside <!-- comment --> */
|
|
break;
|
|
- } else if (state == 2 && *(p-1) != '\\') {
|
|
+ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
|
|
if (lc == c) {
|
|
lc = '\0';
|
|
} else if (lc != '\\') {
|
|
@@ -4893,7 +4893,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
|
|
|
|
case '!':
|
|
/* JavaScript & Other HTML scripting languages */
|
|
- if (state == 1 && *(p-1) == '<') {
|
|
+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
|
|
state = 3;
|
|
lc = c;
|
|
} else {
|
|
@@ -4920,7 +4920,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
|
|
|
|
case '?':
|
|
|
|
- if (state == 1 && *(p-1) == '<') {
|
|
+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
|
|
br=0;
|
|
state=2;
|
|
break;
|
|
diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
|
|
new file mode 100644
|
|
index 000000000000..7c842f4654f0
|
|
--- /dev/null
|
|
+++ b/ext/standard/tests/file/bug79099.phpt
|
|
@@ -0,0 +1,32 @@
|
|
+--TEST--
|
|
+Bug #79099 (OOB read in php_strip_tags_ex)
|
|
+--FILE--
|
|
+<?php
|
|
+$stream = fopen('php://memory', 'w+');
|
|
+fputs($stream, "<?\n\"\n");
|
|
+rewind($stream);
|
|
+var_dump(fgetss($stream));
|
|
+var_dump(fgetss($stream));
|
|
+fclose($stream);
|
|
+
|
|
+$stream = fopen('php://memory', 'w+');
|
|
+fputs($stream, "<\0\n!\n");
|
|
+rewind($stream);
|
|
+var_dump(fgetss($stream));
|
|
+var_dump(fgetss($stream));
|
|
+fclose($stream);
|
|
+
|
|
+$stream = fopen('php://memory', 'w+');
|
|
+fputs($stream, "<\0\n?\n");
|
|
+rewind($stream);
|
|
+var_dump(fgetss($stream));
|
|
+var_dump(fgetss($stream));
|
|
+fclose($stream);
|
|
+?>
|
|
+--EXPECT--
|
|
+string(0) ""
|
|
+string(0) ""
|
|
+string(0) ""
|
|
+string(0) ""
|
|
+string(0) ""
|
|
+string(0) ""
|