From 489b705d4b15ac0774cd30bf011c32abcfc1af23 Mon Sep 17 00:00:00 2001 From: Zeev Suraski Date: Tue, 8 Feb 2000 21:29:18 +0000 Subject: [PATCH] @- Fixed memory corruption in fgetss(), strip_tags() and gzgetss() (Zeev) --- ext/standard/file.c | 6 +++++- ext/standard/php_string.h | 2 +- ext/standard/string.c | 11 ++++++++--- ext/zlib/zlib.c | 6 +++++- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/ext/standard/file.c b/ext/standard/file.c index 27eb079f31..d1f7792ba9 100644 --- a/ext/standard/file.c +++ b/ext/standard/file.c @@ -1051,6 +1051,8 @@ PHP_FUNCTION(fgetss) int issock=0; int socketd=0; void *what; + char *allowed_tags=NULL; + int allowed_tags_len=0; FIL_FETCH(); switch(ARG_COUNT(ht)) { @@ -1064,6 +1066,8 @@ PHP_FUNCTION(fgetss) RETURN_FALSE; } convert_to_string_ex(allow); + allowed_tags = (*allow)->value.str.val; + allowed_tags_len = (*allow)->value.str.len; break; default: WRONG_PARAM_COUNT; @@ -1091,7 +1095,7 @@ PHP_FUNCTION(fgetss) } /* strlen() can be used here since we are doing it on the return of an fgets() anyway */ - php_strip_tags(buf, strlen(buf), FIL(fgetss_state), allow?(*allow)->value.str.val:NULL); + php_strip_tags(buf, strlen(buf), FIL(fgetss_state), allowed_tags, allowed_tags_len); RETURN_STRING(buf, 0); } diff --git a/ext/standard/php_string.h b/ext/standard/php_string.h index 324e995628..fe4fcc5bcb 100644 --- a/ext/standard/php_string.h +++ b/ext/standard/php_string.h @@ -95,7 +95,7 @@ extern PHPAPI char *php_stristr(unsigned char *s, unsigned char *t, size_t s_len extern PHPAPI char *php_str_to_str(char *haystack, int length, char *needle, int needle_len, char *str, int str_len, int *_new_length); extern PHPAPI void php_trim(pval *str, pval *return_value, int mode); -extern PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow); +extern PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow, int allow_len); extern PHPAPI void php_char_to_str(char *str, uint len, char from, char *to, int to_len, pval *result); diff --git a/ext/standard/string.c b/ext/standard/string.c index 783250d93b..30a54d73b0 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -2038,6 +2038,8 @@ PHP_FUNCTION(strip_tags) { char *buf; zval **str, **allow=NULL; + char *allowed_tags=NULL; + int allowed_tags_len=0; switch(ARG_COUNT(ht)) { case 1: @@ -2050,6 +2052,8 @@ PHP_FUNCTION(strip_tags) RETURN_FALSE; } convert_to_string_ex(allow); + allowed_tags = (*allow)->value.str.val; + allowed_tags_len = (*allow)->value.str.len; break; default: WRONG_PARAM_COUNT; @@ -2057,7 +2061,7 @@ PHP_FUNCTION(strip_tags) } convert_to_string_ex(str); buf = estrdup((*str)->value.str.val); - php_strip_tags(buf, (*str)->value.str.len, 0, allow?(*allow)->value.str.val:NULL); + php_strip_tags(buf, (*str)->value.str.len, 0, allowed_tags, allowed_tags_len); RETURN_STRING(buf, 0); } /* }}} */ @@ -2203,7 +2207,8 @@ int php_tag_find(char *tag, int len, char *set) { in state 1 and when the tag is closed check it against the allow string to see if we should allow it. */ -PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow) { +PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow, int allow_len) +{ char *tbuf, *buf, *p, *tp, *rp, c, lc; int br, i=0; @@ -2214,7 +2219,7 @@ PHPAPI void php_strip_tags(char *rbuf, int len, int state, char *allow) { rp = rbuf; br = 0; if(allow) { - php_strtolower(allow, len); + php_strtolower(allow, allow_len); tbuf = emalloc(PHP_TAG_BUF_SIZE+1); tp = tbuf; } else { diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c index 7033b6d067..6886aff995 100644 --- a/ext/zlib/zlib.c +++ b/ext/zlib/zlib.c @@ -484,6 +484,8 @@ PHP_FUNCTION(gzgetss) gzFile *zp; int len; char *buf; + char *allowed_tags=NULL; + int allowed_tags_len=0; ZLIBLS_FETCH(); switch(ARG_COUNT(ht)) { @@ -497,6 +499,8 @@ PHP_FUNCTION(gzgetss) RETURN_FALSE; } convert_to_string_ex(allow); + allowed_tags = (*allow)->value.str.val; + allowed_tags_len = (*allow)->value.str.len; break; default: WRONG_PARAM_COUNT; @@ -519,7 +523,7 @@ PHP_FUNCTION(gzgetss) } /* strlen() can be used here since we are doing it on the return of an fgets() anyway */ - php_strip_tags(buf, strlen(buf), ZLIBG(gzgetss_state), allow?(*allow)->value.str.val:NULL); + php_strip_tags(buf, strlen(buf), ZLIBG(gzgetss_state), allowed_tags, allowed_tags_len); RETURN_STRING(buf, 0); } -- 2.40.0