Merge branch 'PHP-7.3' into PHP-7.4

* PHP-7.3: Update NEWS Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`) Fix #79099: OOB read in php_strip_tags_ex Fix #79091: heap use-after-free in session_create_id()
author: Stanislav Malyshev <stas@php.net> 2020-01-20 22:47:01 -0800
committer: Derick Rethans <github@derickrethans.nl> 2020-01-21 10:10:02 +0000
commit: bea47b794f93dedb9e30f27586ece1fc8b6bca27 (patch)
tree: 049a091935481a3208fe7e4eb5b8122bcf7dabf4 /ext/standard/string.c
parent: c497becad41376c7358d75e3b38eb472a434549e (diff)
download: php-git-bea47b794f93dedb9e30f27586ece1fc8b6bca27.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 50934e1b50..934936ba94 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -5278,7 +5278,7 @@ state_1:
 			}
 
 			lc = '>';
-			if (is_xml && *(p -1) == '-') {
+			if (is_xml && p >= buf + 1 && *(p -1) == '-') {
 				break;
 			}
 			in_q = state = is_xml = 0;
@@ -5310,7 +5310,7 @@ state_1:
 			goto reg_char_1;
 		case '!':
 			/* JavaScript & Other HTML scripting languages */
-			if (*(p-1) == '<') {
+			if (p >= buf + 1 && *(p-1) == '<') {
 				state = 3;
 				lc = c;
 				p++;
@@ -5320,7 +5320,7 @@ state_1:
 			}
 			break;
 		case '?':
-			if (*(p-1) == '<') {
+			if (p >= buf + 1 && *(p-1) == '<') {
 				br=0;
 				state = 2;
 				p++;
author	Stanislav Malyshev <stas@php.net>	2020-01-20 22:47:01 -0800
committer	Derick Rethans <github@derickrethans.nl>	2020-01-21 10:10:02 +0000
commit	bea47b794f93dedb9e30f27586ece1fc8b6bca27 (patch)
tree	049a091935481a3208fe7e4eb5b8122bcf7dabf4 /ext/standard/string.c
parent	c497becad41376c7358d75e3b38eb472a434549e (diff)
download	php-git-bea47b794f93dedb9e30f27586ece1fc8b6bca27.tar.gz