From ec54bb99c4ffd5060c991bc1ed722b9a39915fa6 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 4 Aug 2012 13:23:05 +0200 Subject: [PATCH] Fix: Infinite loop caused by smiley code with "[" This reworks the previous commit and fix the incorrect readings. I would've rebased but my windows git is missing some commands for not so obvious reasons. --- root/includes/trim_message/bbcodes.php | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/root/includes/trim_message/bbcodes.php b/root/includes/trim_message/bbcodes.php index cbb36970..8178d14a 100644 --- a/root/includes/trim_message/bbcodes.php +++ b/root/includes/trim_message/bbcodes.php @@ -364,10 +364,19 @@ class phpbb_trim_message_bbcodes $content_length = utf8_strlen($content); $last_smiley = false; $last_html_opening = $last_html_closing = 0; - while (($last_html_opening = utf8_strpos($content, '<', $last_html_closing)) !== false && - utf8_strpos($content, '>', $last_html_opening) !== false) + while (($last_html_opening = utf8_strpos($content, '<', $last_html_closing)) !== false) { $last_html_closing = utf8_strpos($content, '>', $last_html_opening); + /** + * Abort while loop if there are no more ">" or we'll end up in an + * endless loop. The abort needs to be done here or the following + * code will produce incorrect data. + */ + if (!$last_html_closing) + { + break; + } + if (($smiley_code = utf8_substr($content, $last_html_opening + 7, ($last_html_closing - $last_html_opening - 11))) != '--') { if ($last_smiley == $smiley_code) @@ -415,6 +424,15 @@ class phpbb_trim_message_bbcodes { // foreach markup we find in the string, we enlarge our text-size. $last_html_closing = utf8_strpos($content, '>', $last_html_opening); + /** + * Abort while loop if there are no more ">" or the following code + * will produce incorrect data and additionally produce a PHP Notice. + */ + if (!$last_html_closing) + { + break; + } + $content_length += ($last_html_closing - $last_html_opening) + 1; $smiley_code = utf8_substr($content, $last_html_opening + 7, ($last_html_closing - $last_html_opening - 11));