#24556 [Ver->Asn]: strip_tags() leaks and crashes

Sat, 12 Jul 2003 02:04:33 -0700 

 ID:               24556
 Updated by:       [EMAIL PROTECTED]
 Reported By:      asykakimo at yahoo dot com dot tw
-Status:           Verified
+Status:           Assigned
 Bug Type:         Strings related
 Operating System: Win2000
 PHP Version:      4.3.3RC2-dev
 Assigned To:      moriyoshi


Previous Comments:
------------------------------------------------------------------------

[2003-07-09 08:20:37] [EMAIL PROTECTED]

This patch seems to plug the overflow:

Index: string.c
===================================================================
RCS file: /repository/php-src/ext/standard/string.c,v
retrieving revision 1.333.2.32
diff -u -r1.333.2.32 string.c
--- string.c    29 Jun 2003 15:36:10 -0000      1.333.2.32
+++ string.c    9 Jul 2003 13:17:51 -0000
@@ -3336,7 +3336,7 @@
        br = 0;
        if (allow) {
                php_strtolower(allow, allow_len);
-               tbuf = emalloc(PHP_TAG_BUF_SIZE+1);
+               tbuf = emalloc(PHP_TAG_BUF_SIZE+2);
                tp = tbuf;
        } else {
                tbuf = tp = NULL;



------------------------------------------------------------------------

[2003-07-09 08:13:21] [EMAIL PROTECTED]

This is not file_get_contents() or any other filesystem function
related:

---------------------------------------
/usr/src/web/php/php4_3/ext/standard/string.c(3530) : Block 0x0874B580
status:
Beginning:      OK (allocated on
/usr/src/web/php/php4_3/ext/standard/string.c:3339, 1024 bytes)
      End:      Overflown (magic=0x2A8FCC63 instead of 0x2A8FCC84)
                1 byte(s) overflown
---------------------------------------
href/usr/src/web/php/php4_3/ext/standard/string.c(3339) :  Freeing
0x0874B5A4 (1024 bytes), script=t.php


strip_tags() causes the crash. (leaks seem to crash winblows, not linux
:)



------------------------------------------------------------------------

[2003-07-09 02:24:43] asykakimo at yahoo dot com dot tw

Description:
------------
The file_get_contents will cause PHP crash in the following code:
$contents=str_replace("\n","  ",file_get_contents($file));
$contents=strip_tags($contents,'<a><frame><area><meta>');
$tags=(preg_match("|</frameset>|i",$contents))?"src":"href";
$tags=(preg_match("|<meta
http-equiv=\"?refresh\"?.*url|i",$contents))?"url":$tags;
echo $tags;

------------------------------------------------------------
The $file variable is come from http://www.starwars.com/index.html

If I replace the file_get_contents with fread function, the php remain
this bug too.

Thank




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=24556&edit=1

Reply via email to