MFH: fix leaks in get_meta_tags() when used with b0rked HTML

add test

ext/standard/file.c

@@ -399,6 +399,7 @@ PHP_FUNCTION(get_meta_tags)
 				}
 			} else if (tok_last == TOK_EQUAL && looking_for_val) {
 				if (saw_name) {
+					STR_FREE(name);
 					/* Get the NAME attr (Single word attr, non-quoted) */
 					temp = name = estrndup(md.token_data, md.token_len);
 
@@ -411,6 +412,7 @@ PHP_FUNCTION(get_meta_tags)
 
 					have_name = 1;
 				} else if (saw_content) {
+					STR_FREE(value);
 					/* Get the CONTENT attr (Single word attr, non-quoted) */
 					if (PG(magic_quotes_runtime)) {
 						value = php_addslashes(md.token_data, 0, &md.token_len, 0 TSRMLS_CC);
@@ -437,6 +439,7 @@ PHP_FUNCTION(get_meta_tags)
 			}
 		} else if (tok == TOK_STRING && tok_last == TOK_EQUAL && looking_for_val) {
 			if (saw_name) {
+				STR_FREE(name);
 				/* Get the NAME attr (Quoted single/double) */
 				temp = name = estrndup(md.token_data, md.token_len);
 
@@ -449,6 +452,7 @@ PHP_FUNCTION(get_meta_tags)
 
 				have_name = 1;
 			} else if (saw_content) {
+				STR_FREE(value);
 				/* Get the CONTENT attr (Single word attr, non-quoted) */
 				if (PG(magic_quotes_runtime)) {
 					value = php_addslashes(md.token_data, 0, &md.token_len, 0 TSRMLS_CC);
@@ -472,12 +476,13 @@ PHP_FUNCTION(get_meta_tags)
 				/* For BC */
 				php_strtolower(name, strlen(name));
 				if (have_content) {
-					add_assoc_string(return_value, name, value, 0); 
+					add_assoc_string(return_value, name, value, 1); 
 				} else {
 					add_assoc_string(return_value, name, "", 1);
 				}
 
 				efree(name);
+				efree(value);
 			} else if (have_content) {
 				efree(value);
 			}
@@ -499,6 +504,8 @@ PHP_FUNCTION(get_meta_tags)
 		md.token_data = NULL;
 	}
 
+	STR_FREE(value);
+	STR_FREE(name);
 	php_stream_close(md.stream);
 }
 

ext/standard/tests/strings/get_meta_tags.phpt

@@ -0,0 +1,95 @@
+--TEST--
+get_meta_tags() tests
+--FILE--
+<?php
+
+$filename = dirname(__FILE__)."/get_meta_tags.html";
+
+$data = <<<DATA
+<meta name="author" content="name">
+<meta name="keywords" content="php documentation">
+<meta name="DESCRIPTION" content="a php manual">
+<meta name="geo.position" content="49.33;-86.59">
+</head> <!-- parsing stops here -->
+DATA;
+
+$data1 = <<<DATA
+<html>
+    <head>
+        <meta name="author" content="name">
+        <meta name="keywords" content="php documentation">
+        <meta name="DESCRIPTION" content="a php manual">
+        <meta name="geo.position" content="49.33;-86.59">
+    </head>
+    <body>
+        <meta name="author" content="name1">
+        <meta name="keywords" content="php documentation1">
+        <meta name="DESCRIPTION" content="a php manual1">
+        <meta name="geo.position" content="49.33;-86.591">
+    </body>
+</html>
+DATA;
+
+$data2 = <<<DATA
+<meta name="author" content="name"
+<meta name="keywords" content="php documentation">
+DATA;
+
+$data3 = <<<DATA
+<meta <meta name="keywords" content="php documentation">
+DATA;
+
+$data4 = <<<DATA
+<meta name="author" content="name"
+<meta name="keywords" content="php documentation"
+DATA;
+
+$array = array($data, $data1, $data2, $data3, $data4, "", "<>", "<meta<<<<<");
+
+foreach ($array as $html) {
+	file_put_contents($filename, $html);
+	var_dump(get_meta_tags($filename));
+}
+
+@unlink($filename);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+array(4) {
+  ["author"]=>
+  string(4) "name"
+  ["keywords"]=>
+  string(17) "php documentation"
+  ["description"]=>
+  string(12) "a php manual"
+  ["geo_position"]=>
+  string(12) "49.33;-86.59"
+}
+array(4) {
+  ["author"]=>
+  string(4) "name"
+  ["keywords"]=>
+  string(17) "php documentation"
+  ["description"]=>
+  string(12) "a php manual"
+  ["geo_position"]=>
+  string(12) "49.33;-86.59"
+}
+array(1) {
+  ["keywords"]=>
+  string(17) "php documentation"
+}
+array(1) {
+  ["keywords"]=>
+  string(17) "php documentation"
+}
+array(0) {
+}
+array(0) {
+}
+array(0) {
+}
+array(0) {
+}
+Done