From b502f510f0a9d6f02cd1e520a74fafd5b76ebc6e Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 4 Jun 2020 11:21:08 +0200 Subject: [PATCH 1/2] Fix #73527: Invalid memory access in php_filter_strip --- ext/filter/sanitizing_filters.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c index 7a992b4966c18..29e2c1b8bed1e 100644 --- a/ext/filter/sanitizing_filters.c +++ b/ext/filter/sanitizing_filters.c @@ -110,7 +110,7 @@ static void php_filter_strip(zval *value, zend_long flags) { unsigned char *str; size_t i; - int c; + size_t c; zend_string *buf; /* Optimization for if no strip flags are set */ From 48c04ed1a38023e449d0e1e463e29920c13d431e Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 4 Jun 2020 11:49:59 +0200 Subject: [PATCH 2/2] Fix useless overallocations `zend_string_init()` already adds space for the NUL byte. --- ext/filter/sanitizing_filters.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c index 29e2c1b8bed1e..de69b3bf5a8b5 100644 --- a/ext/filter/sanitizing_filters.c +++ b/ext/filter/sanitizing_filters.c @@ -119,7 +119,7 @@ static void php_filter_strip(zval *value, zend_long flags) } str = (unsigned char *)Z_STRVAL_P(value); - buf = zend_string_alloc(Z_STRLEN_P(value) + 1, 0); + buf = zend_string_alloc(Z_STRLEN_P(value), 0); c = 0; for (i = 0; i < Z_STRLEN_P(value); i++) { if ((str[i] >= 127) && (flags & FILTER_FLAG_STRIP_HIGH)) { @@ -161,7 +161,7 @@ static void filter_map_apply(zval *value, filter_map *map) zend_string *buf; str = (unsigned char *)Z_STRVAL_P(value); - buf = zend_string_alloc(Z_STRLEN_P(value) + 1, 0); + buf = zend_string_alloc(Z_STRLEN_P(value), 0); c = 0; for (i = 0; i < Z_STRLEN_P(value); i++) { if ((*map)[str[i]]) {