- fix #39863, do not accept paths with NULL in them. See http://news.php.net/php.internals/50191, trunk will have the patch later (adding a macro and/or changing (some) APIs. Patch by Rasmus

1 files changed, 14 insertions, 2 deletions

diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c
index dfc15d97f0..5a8cc0d1fa 100644
--- a/ext/tidy/tidy.c
+++ b/ext/tidy/tidy.c
@@ -567,6 +567,9 @@ static void php_tidy_quick_repair(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_fil
 	}
 	
 	if (is_file) {
+		if (strlen(arg1) != arg1_len) {
+			RETURN_FALSE;
+		}
 		if (!(data = php_tidy_file_to_mem(arg1, use_include_path, &data_len TSRMLS_CC))) {
 			RETURN_FALSE;
 		}
@@ -1221,6 +1224,9 @@ static PHP_FUNCTION(tidy_parse_file)
 		RETURN_FALSE;
 	}
 
+	if (strlen(inputfile) != input_len) {
+		RETURN_FALSE;
+	}
 	tidy_instanciate(tidy_ce_doc, return_value TSRMLS_CC);
 	obj = (PHPTidyObj *) zend_object_store_get_object(return_value TSRMLS_CC);
 
@@ -1534,10 +1540,13 @@ static TIDY_DOC_METHOD(__construct)
 							  &options, &enc, &enc_len, &use_include_path) == FAILURE) {
 		RETURN_FALSE;
 	}
-	
+
 	obj = (PHPTidyObj *)zend_object_store_get_object(object TSRMLS_CC);
 	
 	if (inputfile) {
+		if (strlen(inputfile) != input_len) {
+			RETURN_FALSE;
+		}
 		if (!(contents = php_tidy_file_to_mem(inputfile, use_include_path, &contents_len TSRMLS_CC))) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot Load '%s' into memory %s", inputfile, (use_include_path) ? "(Using include path)" : "");
 			return;
@@ -1568,7 +1577,10 @@ static TIDY_DOC_METHOD(parseFile)
 							  &options, &enc, &enc_len, &use_include_path) == FAILURE) {
 		RETURN_FALSE;
 	}
-	
+
+	if (strlen(inputfile) != input_len) {
+		RETURN_FALSE;
+	}
 	if (!(contents = php_tidy_file_to_mem(inputfile, use_include_path, &contents_len TSRMLS_CC))) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot Load '%s' into memory %s", inputfile, (use_include_path) ? "(Using include path)" : "");
 		RETURN_FALSE;