From 89084ce9e34ed38403f8cbb5d67e6299f1b1ab60 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 20 Jan 2020 21:33:17 -0800
Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex

(cherry picked from commit 0f79b1bf301f455967676b5129240140c5c45b09)
---
 ext/standard/string.c                 |  6 ++---
 ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/file/bug79099.phpt

diff --git a/ext/standard/string.c b/ext/standard/string.c
index a8b39ee615..c4b5e031ed 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4757,7 +4757,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
 				if (state == 4) {
 					/* Inside <!-- comment --> */
 					break;
-				} else if (state == 2 && *(p-1) != '\\') {
+				} else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
 					if (lc == c) {
 						lc = '\0';
 					} else if (lc != '\\') {
@@ -4784,7 +4784,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
 
 			case '!':
 				/* JavaScript & Other HTML scripting languages */
-				if (state == 1 && *(p-1) == '<') {
+				if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
 					state = 3;
 					lc = c;
 				} else {
@@ -4811,7 +4811,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
 
 			case '?':
 
-				if (state == 1 && *(p-1) == '<') {
+				if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
 					br=0;
 					state=2;
 					break;
diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
new file mode 100644
index 0000000000..7c842f4654
--- /dev/null
+++ b/ext/standard/tests/file/bug79099.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #79099 (OOB read in php_strip_tags_ex)
+--FILE--
+<?php
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<?\n\"\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n!\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n?\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+?>
+--EXPECT--
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
From 740b58637d71aade0a748117b7fbe9a21a1fab70 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 22 Jan 2020 22:36:53 -0800
Subject: [PATCH] More checks for php_strip_tags_ex

(cherry picked from commit 2dc170e25d86a725fefd4c08f2bd8378820b28f5)
---
 ext/standard/string.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/standard/string.c b/ext/standard/string.c
index c4b5e031ed..7c044af0fd 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4707,7 +4707,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
 				switch (state) {
 					case 1: /* HTML/XML */
 						lc = '>';
-						if (is_xml && *(p -1) == '-') {
+						if (is_xml && p >= buf + 1 && *(p-1) == '-') {
 							break;
 						}
 						in_q = state = is_xml = 0;
@@ -4728,7 +4728,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
 						break;
 
 					case 2: /* PHP */
-						if (!br && lc != '\"' && *(p-1) == '?') {
+						if (!br && lc != '\"' && p >= buf + 1 && *(p-1) == '?') {
 							in_q = state = 0;
 							tp = tbuf;
 						}