|
From 2010adf1329e452f31aa61f19605b4b01ba9774f Mon Sep 17 00:00:00 2001 |
|
From: "Christoph M. Becker" <cmbecker69@gmx.de> |
|
Date: Tue, 14 Jan 2020 12:33:22 +0100 |
|
Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex |
|
|
|
Even if `state > 0`, we must not assume that `p > buf`. |
|
--- |
|
ext/standard/string.c | 6 ++--- |
|
ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++ |
|
2 files changed, 35 insertions(+), 3 deletions(-) |
|
create mode 100644 ext/standard/tests/file/bug79099.phpt |
|
|
|
diff --git a/ext/standard/string.c b/ext/standard/string.c |
|
index da51cd0966..fb44cc505d 100644 |
|
--- a/ext/standard/string.c |
|
+++ b/ext/standard/string.c |
|
@@ -4866,7 +4866,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const |
|
if (state == 4) { |
|
/* Inside <!-- comment --> */ |
|
break; |
|
- } else if (state == 2 && *(p-1) != '\\') { |
|
+ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') { |
|
if (lc == c) { |
|
lc = '\0'; |
|
} else if (lc != '\\') { |
|
@@ -4893,7 +4893,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const |
|
|
|
case '!': |
|
/* JavaScript & Other HTML scripting languages */ |
|
- if (state == 1 && *(p-1) == '<') { |
|
+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { |
|
state = 3; |
|
lc = c; |
|
} else { |
|
@@ -4920,7 +4920,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const |
|
|
|
case '?': |
|
|
|
- if (state == 1 && *(p-1) == '<') { |
|
+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { |
|
br=0; |
|
state=2; |
|
break; |
|
diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt |
|
new file mode 100644 |
|
index 0000000000..7c842f4654 |
|
--- /dev/null |
|
+++ b/ext/standard/tests/file/bug79099.phpt |
|
@@ -0,0 +1,32 @@ |
|
+--TEST-- |
|
+Bug #79099 (OOB read in php_strip_tags_ex) |
|
+--FILE-- |
|
+<?php |
|
+$stream = fopen('php://memory', 'w+'); |
|
+fputs($stream, "<?\n\"\n"); |
|
+rewind($stream); |
|
+var_dump(fgetss($stream)); |
|
+var_dump(fgetss($stream)); |
|
+fclose($stream); |
|
+ |
|
+$stream = fopen('php://memory', 'w+'); |
|
+fputs($stream, "<\0\n!\n"); |
|
+rewind($stream); |
|
+var_dump(fgetss($stream)); |
|
+var_dump(fgetss($stream)); |
|
+fclose($stream); |
|
+ |
|
+$stream = fopen('php://memory', 'w+'); |
|
+fputs($stream, "<\0\n?\n"); |
|
+rewind($stream); |
|
+var_dump(fgetss($stream)); |
|
+var_dump(fgetss($stream)); |
|
+fclose($stream); |
|
+?> |
|
+--EXPECT-- |
|
+string(0) "" |
|
+string(0) "" |
|
+string(0) "" |
|
+string(0) "" |
|
+string(0) "" |
|
+string(0) "" |
|
-- |
|
2.24.1.windows.2 |
|
|