Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PHP bug #79099
From 2010adf1329e452f31aa61f19605b4b01ba9774f Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 14 Jan 2020 12:33:22 +0100
Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex
Even if `state > 0`, we must not assume that `p > buf`.
---
ext/standard/string.c | 6 ++---
ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
2 files changed, 35 insertions(+), 3 deletions(-)
create mode 100644 ext/standard/tests/file/bug79099.phpt
diff --git a/ext/standard/string.c b/ext/standard/string.c
index da51cd0966..fb44cc505d 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4866,7 +4866,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
if (state == 4) {
/* Inside <!-- comment --> */
break;
- } else if (state == 2 && *(p-1) != '\\') {
+ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
if (lc == c) {
lc = '\0';
} else if (lc != '\\') {
@@ -4893,7 +4893,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
case '!':
/* JavaScript & Other HTML scripting languages */
- if (state == 1 && *(p-1) == '<') {
+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
state = 3;
lc = c;
} else {
@@ -4920,7 +4920,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
case '?':
- if (state == 1 && *(p-1) == '<') {
+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
br=0;
state=2;
break;
diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
new file mode 100644
index 0000000000..7c842f4654
--- /dev/null
+++ b/ext/standard/tests/file/bug79099.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #79099 (OOB read in php_strip_tags_ex)
+--FILE--
+<?php
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<?\n\"\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n!\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n?\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+?>
+--EXPECT--
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
--
2.24.1.windows.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment