From: Moriyoshi Koizumi <moriyoshi@php.net>
Date: Sat, 12 Jul 2003 09:33:58 +0000 (+0000)
Subject: MFH(r-1.393): fixed bug #24556
X-Git-Tag: php-4.3.3RC2~129
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f725d7b180d19809cb9f9e1cb20c86e1fc21f9c0;p=php

MFH(r-1.393): fixed bug #24556
---

diff --git a/ext/standard/string.c b/ext/standard/string.c
index c8310fcde2..2bf5719bff 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -3352,6 +3352,7 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in
 					lc = '<';
 					state = 1;
 					if (allow) {
+						tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
 						*(tp++) = '<';
 					}
 				} else if (state == 1) {
@@ -3366,6 +3367,7 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in
 						br++;
 					}
 				} else if (allow && state == 1) {
+					tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
 					*(tp++) = c;
 				} else if (state == 0) {
 					*(rp++) = c;
@@ -3379,6 +3381,7 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in
 						br--;
 					}
 				} else if (allow && state == 1) {
+					tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
 					*(tp++) = c;
 				} else if (state == 0) {
 					*(rp++) = c;
@@ -3396,6 +3399,7 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in
 						lc = '>';
 						state = 0;
 						if (allow) {
+							tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
 							*(tp++) = '>';
 							*tp='\0';
 							if (php_tag_find(tbuf, tp-tbuf, allow)) {
@@ -3442,6 +3446,7 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in
 				} else if (state == 0) {
 					*(rp++) = c;
 				} else if (allow && state == 1) {
+					tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
 					*(tp++) = c;
 				}
 				break;
@@ -3455,11 +3460,8 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in
 					if (state == 0) {
 						*(rp++) = c;
 					} else if (allow && state == 1) {
+						tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
 						*(tp++) = c;
-						if ( (tp-tbuf) >= PHP_TAG_BUF_SIZE ) {
-							/* prevent buffer overflows */
-							tp = tbuf;
-						}
 					}
 				}
 				break;
@@ -3474,7 +3476,7 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in
 
 			case '?':
 
-				if (state == 1 && *(p-1)=='<') { 
+				if (state == 1 && *(p-1) == '<') { 
 					br=0;
 					state=2;
 					break;
@@ -3512,10 +3514,8 @@ reg_char:
 				if (state == 0) {
 					*(rp++) = c;
 				} else if (allow && state == 1) {
+					tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
 					*(tp++) = c;
-					if ( (tp-tbuf) >= PHP_TAG_BUF_SIZE ) { /* no buffer overflows */
-						tp = tbuf;
-					}
 				} 
 				break;
 		}