1
Description: fix denial of service via invalid tidy objects
2
Origin: backport, http://svn.php.net/viewvc?view=revision&revision=323118
3
Origin: backport, http://svn.php.net/viewvc?view=revision&revision=322536
4
Bug: https://bugs.php.net/bug.php?id=54682
6
Index: php5-5.2.4/ext/tidy/tests/004.phpt
7
===================================================================
8
--- php5-5.2.4.orig/ext/tidy/tests/004.phpt 2004-05-19 04:45:23.000000000 -0400
9
+++ php5-5.2.4/ext/tidy/tests/004.phpt 2012-06-12 15:53:47.644997564 -0400
11
<?php if (!extension_loaded("tidy")) print "skip"; ?>
14
- $a = tidy_parse_string("<HTML></HTML>");
16
- echo tidy_get_error_buffer($a);
17
+$a = tidy_parse_string('<HTML></HTML>');
18
+var_dump(tidy_diagnose($a));
19
+echo tidy_get_error_buffer($a);
22
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2//EN">
24
+<head><title>foo</title></head>
25
+<body><p>hello</p></body>
28
+$a = tidy_parse_string($html);
29
+var_dump(tidy_diagnose($a));
30
+echo tidy_get_error_buffer($a);
35
line 1 column 1 - Warning: missing <!DOCTYPE> declaration
36
line 1 column 7 - Warning: discarding unexpected </html>
37
line 1 column 14 - Warning: inserting missing 'title' element
38
Info: Document content looks like HTML 3.2
39
-3 warnings, 0 errors were found!
40
\ No newline at end of file
41
+3 warnings, 0 errors were found!
43
+Info: Document content looks like HTML 3.2
44
+No warnings or errors were found.
45
Index: php5-5.2.4/ext/tidy/tidy.c
46
===================================================================
47
--- php5-5.2.4.orig/ext/tidy/tidy.c 2007-05-04 13:11:05.000000000 -0400
48
+++ php5-5.2.4/ext/tidy/tidy.c 2012-06-12 15:53:47.700997565 -0400
52
unsigned int ref_count;
53
+ unsigned int initialized:1;
58
intern->ptdoc = emalloc(sizeof(PHPTidyDoc));
59
intern->ptdoc->doc = tidyCreate();
60
intern->ptdoc->ref_count = 1;
61
+ intern->ptdoc->initialized = 0;
62
intern->ptdoc->errbuf = emalloc(sizeof(TidyBuffer));
63
tidyBufInit(intern->ptdoc->errbuf);
71
+ obj->ptdoc->initialized = 1;
74
tidyBufAppend(&buf, string, len);
75
if (tidyParseBuffer(obj->ptdoc->doc, &buf) < 0) {
80
- if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {
81
+ if (obj->ptdoc->initialized && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {
82
tidy_doc_update_properties(obj TSRMLS_CC);