meta-oe/recipes-devtools/php/php/CVE-2020-7059.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

From 1adaab3aa81fa9b48e351b5644d9fee70f2fe73f Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Thu, 20 Feb 2020 02:05:52 -0800
Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex

Upstream-Status: Backport
CVE: CVE-2020-7059
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
 ext/standard/string.c                 |  6 +++---
 ext/standard/tests/file/bug79099.phpt | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/file/bug79099.phpt

diff --git a/ext/standard/string.c b/ext/standard/string.c
index dde97fa..2213d8d 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -5163,7 +5163,7 @@ state_1:
 			}
 
 			lc = '>';
-			if (is_xml && *(p -1) == '-') {
+			if (is_xml && p >= buf + 1 && *(p -1) == '-') {
 				break;
 			}
 			in_q = state = is_xml = 0;
@@ -5195,7 +5195,7 @@ state_1:
 			goto reg_char_1;
 		case '!':
 			/* JavaScript & Other HTML scripting languages */
-			if (*(p-1) == '<') {
+			if (p >= buf + 1 && *(p-1) == '<') {
 				state = 3;
 				lc = c;
 				p++;
@@ -5205,7 +5205,7 @@ state_1:
 			}
 			break;
 		case '?':
-			if (*(p-1) == '<') {
+			if (p >= buf + 1 && *(p-1) == '<') {
 				br=0;
 				state = 2;
 				p++;
diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
new file mode 100644
index 0000000..a1f2a33
--- /dev/null
+++ b/ext/standard/tests/file/bug79099.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #79099 (OOB read in php_strip_tags_ex)
+--FILE--
+<?php
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<?\n\"\n");
+rewind($stream);
+var_dump(@fgetss($stream));
+var_dump(@fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n!\n");
+rewind($stream);
+var_dump(@fgetss($stream));
+var_dump(@fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n?\n");
+rewind($stream);
+var_dump(@fgetss($stream));
+var_dump(@fgetss($stream));
+fclose($stream);
+?>
+--EXPECT--
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
-- 
1.9.1