php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #79156 Another OOB read in php_strip_tags_ex
Submitted: 2020-01-22 19:22 UTC Modified: 2020-01-23 07:15 UTC
From: ryat@php.net Assigned: stas (profile)
Status: Closed Package: Strings related
PHP Version: 7.2Git-2020-01-22 (Git) OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ryat@php.net
New email:
PHP Version: OS:

 

 [2020-01-22 19:22 UTC] ryat@php.net 
Description:
------------
string.c:
```
PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const char *allow, size_t allow_len, zend_bool allow_tag_spaces)
{
	...
			case '>':
                ...
					case 2: /* PHP */
						if (!br && lc != '\"' && *(p-1) == '?') {
```

PoC:
```
<?php

$stream = fopen('php://memory', 'w+');
fputs($stream, "<?\n>");
rewind($stream);
var_dump(fgetss($stream));
var_dump(fgetss($stream));
fclose($stream);

?>
```

Fix:
```
if (!br && lc != '\"' && p >= buf + 1 && *(p-1) == '?') {
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-22 19:43 UTC] ryat@php.net
-Summary: OOB read in php_strip_tags_ex +Summary: Another OOB read in php_strip_tags_ex
 [2020-01-23 07:15 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2020-01-23 07:15 UTC] stas@php.net 
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Dec 30 17:01:29 2024 UTC