diff options
author | Remi Collet <remi@remirepo.net> | 2020-01-21 11:03:29 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2020-01-21 11:03:29 +0100 |
commit | b8dbeb1b6f3d8edbc2a037bba97a31ee53848dbd (patch) | |
tree | 5f3a2ef6906ba3e3dfd1b78c7d09af7c8ba1822a /php-bug79099.patch | |
parent | 2708c128c5462b69ba61c88f5ff770d492944192 (diff) |
mbstring:
Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar
CVE-2020-7060
standard:
Fix #79099 OOB read in php_strip_tags_ex
CVE-2020-7059
Diffstat (limited to 'php-bug79099.patch')
-rw-r--r-- | php-bug79099.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/php-bug79099.patch b/php-bug79099.patch new file mode 100644 index 0000000..c0b5e72 --- /dev/null +++ b/php-bug79099.patch @@ -0,0 +1,81 @@ +From 89084ce9e34ed38403f8cbb5d67e6299f1b1ab60 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jan 2020 21:33:17 -0800 +Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex + +(cherry picked from commit 0f79b1bf301f455967676b5129240140c5c45b09) +--- + ext/standard/string.c | 6 ++--- + ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++ + 2 files changed, 35 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/file/bug79099.phpt + +diff --git a/ext/standard/string.c b/ext/standard/string.c +index a8b39ee615..c4b5e031ed 100644 +--- a/ext/standard/string.c ++++ b/ext/standard/string.c +@@ -4757,7 +4757,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha + if (state == 4) { + /* Inside <!-- comment --> */ + break; +- } else if (state == 2 && *(p-1) != '\\') { ++ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') { + if (lc == c) { + lc = '\0'; + } else if (lc != '\\') { +@@ -4784,7 +4784,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha + + case '!': + /* JavaScript & Other HTML scripting languages */ +- if (state == 1 && *(p-1) == '<') { ++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { + state = 3; + lc = c; + } else { +@@ -4811,7 +4811,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha + + case '?': + +- if (state == 1 && *(p-1) == '<') { ++ if (state == 1 && p >= buf + 1 && *(p-1) == '<') { + br=0; + state=2; + break; +diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt +new file mode 100644 +index 0000000000..7c842f4654 +--- /dev/null ++++ b/ext/standard/tests/file/bug79099.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #79099 (OOB read in php_strip_tags_ex) ++--FILE-- ++<?php ++$stream = fopen('php://memory', 'w+'); ++fputs($stream, "<?\n\"\n"); ++rewind($stream); ++var_dump(fgetss($stream)); ++var_dump(fgetss($stream)); ++fclose($stream); ++ ++$stream = fopen('php://memory', 'w+'); ++fputs($stream, "<\0\n!\n"); ++rewind($stream); ++var_dump(fgetss($stream)); ++var_dump(fgetss($stream)); ++fclose($stream); ++ ++$stream = fopen('php://memory', 'w+'); ++fputs($stream, "<\0\n?\n"); ++rewind($stream); ++var_dump(fgetss($stream)); ++var_dump(fgetss($stream)); ++fclose($stream); ++?> ++--EXPECT-- ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" ++string(0) "" |