summaryrefslogtreecommitdiffstats
path: root/php-bug79099.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-01-21 11:03:29 +0100
committerRemi Collet <remi@remirepo.net>2020-01-21 11:03:29 +0100
commitb8dbeb1b6f3d8edbc2a037bba97a31ee53848dbd (patch)
tree5f3a2ef6906ba3e3dfd1b78c7d09af7c8ba1822a /php-bug79099.patch
parent2708c128c5462b69ba61c88f5ff770d492944192 (diff)
mbstring:
Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar CVE-2020-7060 standard: Fix #79099 OOB read in php_strip_tags_ex CVE-2020-7059
Diffstat (limited to 'php-bug79099.patch')
-rw-r--r--php-bug79099.patch81
1 files changed, 81 insertions, 0 deletions
diff --git a/php-bug79099.patch b/php-bug79099.patch
new file mode 100644
index 0000000..c0b5e72
--- /dev/null
+++ b/php-bug79099.patch
@@ -0,0 +1,81 @@
+From 89084ce9e34ed38403f8cbb5d67e6299f1b1ab60 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:33:17 -0800
+Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex
+
+(cherry picked from commit 0f79b1bf301f455967676b5129240140c5c45b09)
+---
+ ext/standard/string.c | 6 ++---
+ ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
+ 2 files changed, 35 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/file/bug79099.phpt
+
+diff --git a/ext/standard/string.c b/ext/standard/string.c
+index a8b39ee615..c4b5e031ed 100644
+--- a/ext/standard/string.c
++++ b/ext/standard/string.c
+@@ -4757,7 +4757,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+ if (state == 4) {
+ /* Inside <!-- comment --> */
+ break;
+- } else if (state == 2 && *(p-1) != '\\') {
++ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
+ if (lc == c) {
+ lc = '\0';
+ } else if (lc != '\\') {
+@@ -4784,7 +4784,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+
+ case '!':
+ /* JavaScript & Other HTML scripting languages */
+- if (state == 1 && *(p-1) == '<') {
++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ state = 3;
+ lc = c;
+ } else {
+@@ -4811,7 +4811,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+
+ case '?':
+
+- if (state == 1 && *(p-1) == '<') {
++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ br=0;
+ state=2;
+ break;
+diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
+new file mode 100644
+index 0000000000..7c842f4654
+--- /dev/null
++++ b/ext/standard/tests/file/bug79099.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #79099 (OOB read in php_strip_tags_ex)
++--FILE--
++<?php
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<?\n\"\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n!\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n?\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++?>
++--EXPECT--
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""