Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)

author: Ilia Alshanetsky <iliaa@php.net> 2010-02-01 12:59:08 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2010-02-01 12:59:08 +0000
commit: b0f76c253485334d1d917b45b867bce02f26ccd9 (patch)
tree: d0420539422dd6e8a47d9cbfa046deaaf8c5a1b8
parent: 8aa8b6135bfed495d575f4cb48cc21209ada99b1 (diff)
download: php-git-b0f76c253485334d1d917b45b867bce02f26ccd9.tar.gz
3 files changed, 49 insertions, 9 deletions
diff --git a/NEWS b/NEWS
index 8115ff6880..d7e7c3254d 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,8 @@ PHP                                                                        NEWS
 
 - Fixed bug #50859 (build fails with openssl 1.0 due to md2 deprecation).   
   (Ilia, hanno at hboeck dot de)
+- Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes
+  long). (Ilia)
 - Fixed bug #50829 (php.ini directive pdo_mysql.default_socket is ignored).
   (Ilia)
 - Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP
diff --git a/ext/standard/string.c b/ext/standard/string.c
index e537b310da..88b8099683 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4243,7 +4243,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 {
 	char *tbuf, *buf, *p, *tp, *rp, c, lc;
 	int br, i=0, depth=0, in_q = 0;
-	int state = 0;
+	int state = 0, pos;
 
 	if (stateptr)
 		state = *stateptr;
@@ -4256,7 +4256,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 	br = 0;
 	if (allow) {
 		php_strtolower(allow, allow_len);
-		tbuf = emalloc(PHP_TAG_BUF_SIZE+1);
+		tbuf = emalloc(PHP_TAG_BUF_SIZE + 1);
 		tp = tbuf;
 	} else {
 		tbuf = tp = NULL;
@@ -4277,7 +4277,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 					lc = '<';
 					state = 1;
 					if (allow) {
-						tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+						if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+							pos = tp - tbuf;
+							tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+							tp = tbuf + pos;
+						}
 						*(tp++) = '<';
 				 	}
 				} else if (state == 1) {
@@ -4292,7 +4296,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 						br++;
 					}
 				} else if (allow && state == 1) {
-					tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+					if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+						pos = tp - tbuf;
+						tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+						tp = tbuf + pos;
+					}
 					*(tp++) = c;
 				} else if (state == 0) {
 					*(rp++) = c;
@@ -4306,7 +4314,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 						br--;
 					}
 				} else if (allow && state == 1) {
-					tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+					if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+						pos = tp - tbuf;
+						tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+						tp = tbuf + pos;
+					}
 					*(tp++) = c;
 				} else if (state == 0) {
 					*(rp++) = c;
@@ -4328,7 +4340,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 						lc = '>';
 						in_q = state = 0;
 						if (allow) {
-							tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+							if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+								pos = tp - tbuf;
+								tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+								tp = tbuf + pos;
+							}
 							*(tp++) = '>';
 							*tp='\0';
 							if (php_tag_find(tbuf, tp-tbuf, allow)) {
@@ -4378,7 +4394,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 				} else if (state == 0) {
 					*(rp++) = c;
 				} else if (allow && state == 1) {
-					tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+					if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+						pos = tp - tbuf;
+						tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+						tp = tbuf + pos;
+					}
 					*(tp++) = c;
 				}
 				if (state && p != buf && (state == 1 || *(p-1) != '\\') && (!in_q || *p == in_q)) {
@@ -4399,7 +4419,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 					if (state == 0) {
 						*(rp++) = c;
 					} else if (allow && state == 1) {
-						tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+						if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+							pos = tp - tbuf;
+							tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+							tp = tbuf + pos;
+						}
 						*(tp++) = c;
 					}
 				}
@@ -4454,7 +4478,11 @@ reg_char:
 				if (state == 0) {
 					*(rp++) = c;
 				} else if (allow && state == 1) {
-					tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+					if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+						pos = tp - tbuf;
+						tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+						tp = tbuf + pos;
+					}
 					*(tp++) = c;
 				} 
 				break;
diff --git a/ext/standard/tests/strings/bug50847.phpt b/ext/standard/tests/strings/bug50847.phpt
new file mode 100644
index 0000000000..28e83f5111
--- /dev/null
+++ b/ext/standard/tests/strings/bug50847.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)
+--FILE--
+<?php
+$var = '<param value="' . str_repeat("a", 2048) . '" />';
+var_dump(strip_tags($var, "<param>"), strip_tags($var));
+?>
+--EXPECT--
+string(2066) "<param value="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" />"
+string(0) ""
author	Ilia Alshanetsky <iliaa@php.net>	2010-02-01 12:59:08 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2010-02-01 12:59:08 +0000
commit	b0f76c253485334d1d917b45b867bce02f26ccd9 (patch)
tree	d0420539422dd6e8a47d9cbfa046deaaf8c5a1b8
parent	8aa8b6135bfed495d575f4cb48cc21209ada99b1 (diff)
download	php-git-b0f76c253485334d1d917b45b867bce02f26ccd9.tar.gz