diff options
-rw-r--r-- | ext/standard/string.c | 6 | ||||
-rw-r--r-- | ext/standard/tests/file/bug79099.phpt | 32 |
2 files changed, 35 insertions, 3 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c index da51cd0966..fb44cc505d 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -4866,7 +4866,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const if (state == 4) { /* Inside <!-- comment --> */ break; - } else if (state == 2 && *(p-1) != '\\') { + } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') { if (lc == c) { lc = '\0'; } else if (lc != '\\') { @@ -4893,7 +4893,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const case '!': /* JavaScript & Other HTML scripting languages */ - if (state == 1 && *(p-1) == '<') { + if (state == 1 && p >= buf + 1 && *(p-1) == '<') { state = 3; lc = c; } else { @@ -4920,7 +4920,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const case '?': - if (state == 1 && *(p-1) == '<') { + if (state == 1 && p >= buf + 1 && *(p-1) == '<') { br=0; state=2; break; diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt new file mode 100644 index 0000000000..7c842f4654 --- /dev/null +++ b/ext/standard/tests/file/bug79099.phpt @@ -0,0 +1,32 @@ +--TEST-- +Bug #79099 (OOB read in php_strip_tags_ex) +--FILE-- +<?php +$stream = fopen('php://memory', 'w+'); +fputs($stream, "<?\n\"\n"); +rewind($stream); +var_dump(fgetss($stream)); +var_dump(fgetss($stream)); +fclose($stream); + +$stream = fopen('php://memory', 'w+'); +fputs($stream, "<\0\n!\n"); +rewind($stream); +var_dump(fgetss($stream)); +var_dump(fgetss($stream)); +fclose($stream); + +$stream = fopen('php://memory', 'w+'); +fputs($stream, "<\0\n?\n"); +rewind($stream); +var_dump(fgetss($stream)); +var_dump(fgetss($stream)); +fclose($stream); +?> +--EXPECT-- +string(0) "" +string(0) "" +string(0) "" +string(0) "" +string(0) "" +string(0) "" |