iliaa Mon, 01 Feb 2010 12:59:08 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=294303
Log:
Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)
Bug: http://bugs.php.net/50847 (Verified) strip_tags() fails with extremely
long tags (attributes)
Changed paths:
U php/php-src/branches/PHP_5_2/NEWS
U php/php-src/branches/PHP_5_2/ext/standard/string.c
A php/php-src/branches/PHP_5_2/ext/standard/tests/strings/bug50847.phpt
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/standard/string.c
A php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug50847.phpt
U php/php-src/trunk/ext/standard/string.c
A php/php-src/trunk/ext/standard/tests/strings/bug50847.phpt
Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS 2010-02-01 12:18:50 UTC (rev 294302)
+++ php/php-src/branches/PHP_5_2/NEWS 2010-02-01 12:59:08 UTC (rev 294303)
@@ -4,6 +4,8 @@
- Fixed a possible open_basedir/safe_mode bypass in session extension
identified by Grzegorz Stachowiak. (Ilia)
+- Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes
+ long). (Ilia)
- Fixed bug #50727 (Accesing mysqli->affected_rows on no connection causes
segfault). (Andrey, Johannes)
Modified: php/php-src/branches/PHP_5_2/ext/standard/string.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/standard/string.c 2010-02-01 12:18:50 UTC (rev 294302)
+++ php/php-src/branches/PHP_5_2/ext/standard/string.c 2010-02-01 12:59:08 UTC (rev 294303)
@@ -4335,7 +4335,7 @@
{
char *tbuf, *buf, *p, *tp, *rp, c, lc;
int br, i=0, depth=0, in_q = 0;
- int state = 0;
+ int state = 0, pos;
if (stateptr)
state = *stateptr;
@@ -4348,7 +4348,7 @@
br = 0;
if (allow) {
php_strtolower(allow, allow_len);
- tbuf = emalloc(PHP_TAG_BUF_SIZE+1);
+ tbuf = emalloc(PHP_TAG_BUF_SIZE + 1);
tp = tbuf;
} else {
tbuf = tp = NULL;
@@ -4369,7 +4369,11 @@
lc = '<';
state = 1;
if (allow) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = '<';
}
} else if (state == 1) {
@@ -4384,7 +4388,11 @@
br++;
}
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
} else if (state == 0) {
*(rp++) = c;
@@ -4398,7 +4406,11 @@
br--;
}
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
} else if (state == 0) {
*(rp++) = c;
@@ -4420,7 +4432,11 @@
lc = '>';
in_q = state = 0;
if (allow) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = '>';
*tp='\0';
if (php_tag_find(tbuf, tp-tbuf, allow)) {
@@ -4467,7 +4483,11 @@
} else if (state == 0) {
*(rp++) = c;
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
}
if (state && p != buf && (state == 1 || *(p-1) != '\\') && (!in_q || *p == in_q)) {
@@ -4488,7 +4508,11 @@
if (state == 0) {
*(rp++) = c;
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
}
}
@@ -4543,7 +4567,11 @@
if (state == 0) {
*(rp++) = c;
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
}
break;
Added: php/php-src/branches/PHP_5_2/ext/standard/tests/strings/bug50847.phpt
===================================================================
--- php/php-src/branches/PHP_5_2/ext/standard/tests/strings/bug50847.phpt (rev 0)
+++ php/php-src/branches/PHP_5_2/ext/standard/tests/strings/bug50847.phpt 2010-02-01 12:59:08 UTC (rev 294303)
@@ -0,0 +1,10 @@
+--TEST--
+Bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)
+--FILE--
+<?php
+$var = '<param value="' . str_repeat("a", 2048) . '" />';
+var_dump(strip_tags($var, "<param>"), strip_tags($var));
+?>
+--EXPECT--
+string(2066) "<param value="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" />"
+string(0) ""
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2010-02-01 12:18:50 UTC (rev 294302)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-02-01 12:59:08 UTC (rev 294303)
@@ -25,6 +25,8 @@
- Fixed bug #50859 (build fails with openssl 1.0 due to md2 deprecation).
(Ilia, hanno at hboeck dot de)
+- Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes
+ long). (Ilia)
- Fixed bug #50829 (php.ini directive pdo_mysql.default_socket is ignored).
(Ilia)
- Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP
Modified: php/php-src/branches/PHP_5_3/ext/standard/string.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/string.c 2010-02-01 12:18:50 UTC (rev 294302)
+++ php/php-src/branches/PHP_5_3/ext/standard/string.c 2010-02-01 12:59:08 UTC (rev 294303)
@@ -4243,7 +4243,7 @@
{
char *tbuf, *buf, *p, *tp, *rp, c, lc;
int br, i=0, depth=0, in_q = 0;
- int state = 0;
+ int state = 0, pos;
if (stateptr)
state = *stateptr;
@@ -4256,7 +4256,7 @@
br = 0;
if (allow) {
php_strtolower(allow, allow_len);
- tbuf = emalloc(PHP_TAG_BUF_SIZE+1);
+ tbuf = emalloc(PHP_TAG_BUF_SIZE + 1);
tp = tbuf;
} else {
tbuf = tp = NULL;
@@ -4277,7 +4277,11 @@
lc = '<';
state = 1;
if (allow) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = '<';
}
} else if (state == 1) {
@@ -4292,7 +4296,11 @@
br++;
}
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
} else if (state == 0) {
*(rp++) = c;
@@ -4306,7 +4314,11 @@
br--;
}
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
} else if (state == 0) {
*(rp++) = c;
@@ -4328,7 +4340,11 @@
lc = '>';
in_q = state = 0;
if (allow) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = '>';
*tp='\0';
if (php_tag_find(tbuf, tp-tbuf, allow)) {
@@ -4378,7 +4394,11 @@
} else if (state == 0) {
*(rp++) = c;
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
}
if (state && p != buf && (state == 1 || *(p-1) != '\\') && (!in_q || *p == in_q)) {
@@ -4399,7 +4419,11 @@
if (state == 0) {
*(rp++) = c;
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
}
}
@@ -4454,7 +4478,11 @@
if (state == 0) {
*(rp++) = c;
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
}
break;
Added: php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug50847.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug50847.phpt (rev 0)
+++ php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug50847.phpt 2010-02-01 12:59:08 UTC (rev 294303)
@@ -0,0 +1,10 @@
+--TEST--
+Bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)
+--FILE--
+<?php
+$var = '<param value="' . str_repeat("a", 2048) . '" />';
+var_dump(strip_tags($var, "<param>"), strip_tags($var));
+?>
+--EXPECT--
+string(2066) "<param value="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" />"
+string(0) ""
Modified: php/php-src/trunk/ext/standard/string.c
===================================================================
--- php/php-src/trunk/ext/standard/string.c 2010-02-01 12:18:50 UTC (rev 294302)
+++ php/php-src/trunk/ext/standard/string.c 2010-02-01 12:59:08 UTC (rev 294303)
@@ -6512,7 +6512,7 @@
{
char *tbuf, *buf, *p, *tp, *rp, c, lc;
int br, i=0, depth=0, in_q=0;
- int state = 0;
+ int state = 0, pos;
if (stateptr)
state = *stateptr;
@@ -6525,7 +6525,7 @@
br = 0;
if (allow) {
php_strtolower(allow, allow_len);
- tbuf = emalloc(PHP_TAG_BUF_SIZE+1);
+ tbuf = emalloc(PHP_TAG_BUF_SIZE + 1);
tp = tbuf;
} else {
tbuf = tp = NULL;
@@ -6546,7 +6546,11 @@
lc = '<';
state = 1;
if (allow) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = '<';
}
} else if (state == 1) {
@@ -6561,7 +6565,11 @@
br++;
}
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
} else if (state == 0) {
*(rp++) = c;
@@ -6575,7 +6583,11 @@
br--;
}
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
} else if (state == 0) {
*(rp++) = c;
@@ -6597,7 +6609,11 @@
lc = '>';
in_q = state = 0;
if (allow) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = '>';
*tp='\0';
if (php_tag_find(tbuf, tp-tbuf, allow)) {
@@ -6647,7 +6663,11 @@
} else if (state == 0) {
*(rp++) = c;
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
}
if (state && p != buf && (state == 1 || *(p-1) != '\\') && (!in_q || *p == in_q)) {
@@ -6668,7 +6688,11 @@
if (state == 0) {
*(rp++) = c;
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
}
}
@@ -6723,7 +6747,11 @@
if (state == 0) {
*(rp++) = c;
} else if (allow && state == 1) {
- tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+ if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+ pos = tp - tbuf;
+ tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+ tp = tbuf + pos;
+ }
*(tp++) = c;
}
break;
Added: php/php-src/trunk/ext/standard/tests/strings/bug50847.phpt
===================================================================
--- php/php-src/trunk/ext/standard/tests/strings/bug50847.phpt (rev 0)
+++ php/php-src/trunk/ext/standard/tests/strings/bug50847.phpt 2010-02-01 12:59:08 UTC (rev 294303)
@@ -0,0 +1,10 @@
+--TEST--
+Bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)
+--FILE--
+<?php
+$var = '<param value="' . str_repeat("a", 2048) . '" />';
+var_dump(strip_tags($var, "<param>"), strip_tags($var));
+?>
+--EXPECT--
+string(2066) "<param value="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" />"
+string(0) ""
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
