cmb69/0001-Fix-79099-OOB-read-in-php_strip_tags_ex.patch Secret

## 0001-Fix-79099-OOB-read-in-php_strip_tags_ex.patch
From 2010adf1329e452f31aa61f19605b4b01ba9774f Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 14 Jan 2020 12:33:22 +0100
Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex

Even if `state > 0`, we must not assume that `p > buf`.
---
 ext/standard/string.c                 |  6 ++---
 ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/file/bug79099.phpt

diff --git a/ext/standard/string.c b/ext/standard/string.c
index da51cd0966..fb44cc505d 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4866,7 +4866,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
 				if (state == 4) {
 					/* Inside <!-- comment --> */
 					break;
-				} else if (state == 2 && *(p-1) != '\\') {
+				} else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
 					if (lc == c) {
 						lc = '\0';
 					} else if (lc != '\\') {
@@ -4893,7 +4893,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const

 			case '!':
 				/* JavaScript & Other HTML scripting languages */
-				if (state == 1 && *(p-1) == '<') {
+				if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
 					state = 3;
 					lc = c;
 				} else {
@@ -4920,7 +4920,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const

 			case '?':

-				if (state == 1 && *(p-1) == '<') {
+				if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
 					br=0;
 					state=2;
 					break;
diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
new file mode 100644
index 0000000000..7c842f4654
--- /dev/null
+++ b/ext/standard/tests/file/bug79099.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #79099 (OOB read in php_strip_tags_ex)
+--FILE--
+<?php
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<?\n\"\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n!\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n?\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+?>
+--EXPECT--
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
--
2.24.1.windows.2
	From 2010adf1329e452f31aa61f19605b4b01ba9774f Mon Sep 17 00:00:00 2001
	From: "Christoph M. Becker" <cmbecker69@gmx.de>
	Date: Tue, 14 Jan 2020 12:33:22 +0100
	Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex

	Even if `state > 0`, we must not assume that `p > buf`.
	---
	ext/standard/string.c \| 6 ++---
	ext/standard/tests/file/bug79099.phpt \| 32 +++++++++++++++++++++++++++
	2 files changed, 35 insertions(+), 3 deletions(-)
	create mode 100644 ext/standard/tests/file/bug79099.phpt

	diff --git a/ext/standard/string.c b/ext/standard/string.c
	index da51cd0966..fb44cc505d 100644
	--- a/ext/standard/string.c
	+++ b/ext/standard/string.c
	@@ -4866,7 +4866,7 @@ PHPAPI size_t php_strip_tags_ex(char rbuf, size_t len, uint8_t stateptr, const
	if (state == 4) {
	/* Inside <!-- comment --> */
	break;
	- } else if (state == 2 && *(p-1) != '\\') {
	+ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
	if (lc == c) {
	lc = '\0';
	} else if (lc != '\\') {
	@@ -4893,7 +4893,7 @@ PHPAPI size_t php_strip_tags_ex(char rbuf, size_t len, uint8_t stateptr, const

	case '!':
	/* JavaScript & Other HTML scripting languages */
	- if (state == 1 && *(p-1) == '<') {
	+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
	state = 3;
	lc = c;
	} else {
	@@ -4920,7 +4920,7 @@ PHPAPI size_t php_strip_tags_ex(char rbuf, size_t len, uint8_t stateptr, const

	case '?':

	- if (state == 1 && *(p-1) == '<') {
	+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
	br=0;
	state=2;
	break;
	diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
	new file mode 100644
	index 0000000000..7c842f4654
	--- /dev/null
	+++ b/ext/standard/tests/file/bug79099.phpt
	@@ -0,0 +1,32 @@
	+--TEST--
	+Bug #79099 (OOB read in php_strip_tags_ex)
	+--FILE--
	+<?php
	+$stream = fopen('php://memory', 'w+');
	+fputs($stream, "<?\n\"\n");
	+rewind($stream);
	+var_dump(fgetss($stream));
	+var_dump(fgetss($stream));
	+fclose($stream);
	+
	+$stream = fopen('php://memory', 'w+');
	+fputs($stream, "<\0\n!\n");
	+rewind($stream);
	+var_dump(fgetss($stream));
	+var_dump(fgetss($stream));
	+fclose($stream);
	+
	+$stream = fopen('php://memory', 'w+');
	+fputs($stream, "<\0\n?\n");
	+rewind($stream);
	+var_dump(fgetss($stream));
	+var_dump(fgetss($stream));
	+fclose($stream);
	+?>
	+--EXPECT--
	+string(0) ""
	+string(0) ""
	+string(0) ""
	+string(0) ""
	+string(0) ""
	+string(0) ""
	--
	2.24.1.windows.2