Fix bug #67252: convert_uudecode out-of-bounds read

diff --git a/NEWS b/NEWS
index 03f8b87daf95e520b8158f7e35dcb18bd3cf2bd2..69e3b8d386f48b4bedd13f9720759091332aea45 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
   . Fixed bug #67245 (usage of memcpy() with overlapping src and dst in
     zend_exceptions.c). (Bob)
   . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas)
+  . Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas)
 
 - Date:
   . Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol)

diff --git a/ext/standard/tests/strings/bug67252.phpt b/ext/standard/tests/strings/bug67252.phpt
new file mode 100644 (file)
index 0000000..80a6ebc
--- /dev/null
+++ b/ext/standard/tests/strings/bug67252.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #67252 (convert_uudecode out-of-bounds read)
+--FILE--
+<?php
+
+$a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."a.";
+var_dump(convert_uudecode($a));
+
+?>
+--EXPECTF--    
+
+Warning: convert_uudecode(): The given parameter is not a valid uuencoded string in %s on line %d
+bool(false)

diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c
index 52e892ed9e3e7ad0478eb8ff60e9b5e0b35fc898..8544aef9f0cfcc2b12cf9fd874300c04592564a5 100644 (file)
--- a/ext/standard/uuencode.c
+++ b/ext/standard/uuencode.c
@@ -151,6 +151,9 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */
                }
 
                while (s < ee) {
+                       if(s+4 > e) {
+                               goto err;
+                       } 
                        *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4;
                        *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2;
                        *p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3));