@- Fixed memory corruption in fgetss(), strip_tags() and gzgetss() (Zeev)

26 years ago · 489b705d4b
4 changed files with 19 additions and 6 deletions
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@ -1051,6 +1051,8 @@ PHP_FUNCTION(fgetss)
 	int issock=0;
 	int socketd=0;
 	void *what;
+	char *allowed_tags=NULL;
+	int allowed_tags_len=0;
 	FIL_FETCH();

 	switch(ARG_COUNT(ht)) {
@ -1064,6 +1066,8 @@ PHP_FUNCTION(fgetss)
 			RETURN_FALSE;
 		}
 		convert_to_string_ex(allow);
+		allowed_tags = (*allow)->value.str.val;
+		allowed_tags_len = (*allow)->value.str.len;
 		break;
 	default:
 		WRONG_PARAM_COUNT;
@ -1091,7 +1095,7 @@ PHP_FUNCTION(fgetss)
 	}

 	/* strlen() can be used here since we are doing it on the return of an fgets() anyway */
-	php_strip_tags(buf, strlen(buf), FIL(fgetss_state), allow?(*allow)->value.str.val:NULL);
+	php_strip_tags(buf, strlen(buf), FIL(fgetss_state), allowed_tags, allowed_tags_len);

 	RETURN_STRING(buf, 0);
 }
--- a/ext/standard/php_string.h
+++ b/ext/standard/php_string.h
@ -95,7 +95,7 @@ extern PHPAPI char *php_stristr(unsigned char *s, unsigned char *t, size_t s_len
 extern PHPAPI char *php_str_to_str(char *haystack, int length, char *needle,
 		int needle_len, char *str, int str_len, int *_new_length);
 extern PHPAPI void php_trim(pval *str, pval *return_value, int mode);
-extern PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow);
+extern PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow, int allow_len);

 extern PHPAPI void php_char_to_str(char *str, uint len, char from, char *to, int to_len, pval *result);

--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@ -2038,6 +2038,8 @@ PHP_FUNCTION(strip_tags)
 {
 	char *buf;
 	zval **str, **allow=NULL;
+	char *allowed_tags=NULL;
+	int allowed_tags_len=0;

 	switch(ARG_COUNT(ht)) {
 		case 1:
@ -2050,6 +2052,8 @@ PHP_FUNCTION(strip_tags)
 				RETURN_FALSE;
 			}
 			convert_to_string_ex(allow);
+			allowed_tags = (*allow)->value.str.val;
+			allowed_tags_len = (*allow)->value.str.len;
 			break;
 		default:
 			WRONG_PARAM_COUNT;
@ -2057,7 +2061,7 @@ PHP_FUNCTION(strip_tags)
 	}
 	convert_to_string_ex(str);
 	buf = estrdup((*str)->value.str.val);
-	php_strip_tags(buf, (*str)->value.str.len, 0, allow?(*allow)->value.str.val:NULL);
+	php_strip_tags(buf, (*str)->value.str.len, 0, allowed_tags, allowed_tags_len);
 	RETURN_STRING(buf, 0);
 }
 /* }}} */
@ -2203,7 +2207,8 @@ int php_tag_find(char *tag, int len, char *set) {
 	in state 1 and when the tag is closed check it against the
 	allow string to see if we should allow it.
 */
-PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow) {
+PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow, int allow_len)
+{
 	char *tbuf, *buf, *p, *tp, *rp, c, lc;
 	int br, i=0;

@ -2214,7 +2219,7 @@ PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow) {
 	rp = rbuf;
 	br = 0;
 	if(allow) {
-		php_strtolower(allow, len);
+		php_strtolower(allow, allow_len);
 		tbuf = emalloc(PHP_TAG_BUF_SIZE+1);
 		tp = tbuf;
 	} else {
--- a/ext/zlib/zlib.c
+++ b/ext/zlib/zlib.c
@ -484,6 +484,8 @@ PHP_FUNCTION(gzgetss)
 	gzFile *zp;
 	int len;
 	char *buf;
+	char *allowed_tags=NULL;
+	int allowed_tags_len=0;
 	ZLIBLS_FETCH();
 	
 	switch(ARG_COUNT(ht)) {
@ -497,6 +499,8 @@ PHP_FUNCTION(gzgetss)
 				RETURN_FALSE;
 			}
 			convert_to_string_ex(allow);
+			allowed_tags = (*allow)->value.str.val;
+			allowed_tags_len = (*allow)->value.str.len;
 			break;
 		default:
 			WRONG_PARAM_COUNT;
@ -519,7 +523,7 @@ PHP_FUNCTION(gzgetss)
 	}

 	/* strlen() can be used here since we are doing it on the return of an fgets() anyway */
-	php_strip_tags(buf, strlen(buf), ZLIBG(gzgetss_state), allow?(*allow)->value.str.val:NULL);
+	php_strip_tags(buf, strlen(buf), ZLIBG(gzgetss_state), allowed_tags, allowed_tags_len);
 	RETURN_STRING(buf, 0);
 	
 }