MFB: Fixed bug #47174 (base64_decode() interprets pad char in mid string as

terminator)

diff --git a/NEWS b/NEWS
index 844947aec249493d5f7b5ecb6473956716550533..012158b8c7faf7a22e971585a4fa7b80f554d02e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,8 @@ PHP                                                                        NEWS
 - Fixed bug in xml_error_string() which resulted in messages being
   off by one. (Scott)
 
+- Fixed bug #47174 (base64_decode() interprets pad char in mid string as
+  terminator). (Ilia)
 - Fixed bug #47165 (Possible memory corruption when passing return value by
   reference). (Dmitry)
 - Fixed bug #47152 (gzseek/fseek using SEEK_END produces strange results).

diff --git a/ext/standard/base64.c b/ext/standard/base64.c
index c7c25a8979748c4deffa7552c2b85580ce7703c2..b163ce484928c4be2a004465901d2b7ebfdcad04 100644 (file)
--- a/ext/standard/base64.c
+++ b/ext/standard/base64.c
@@ -153,7 +153,14 @@ PHPAPI unsigned char *php_base64_decode_ex(const unsigned char *str, int length,
 
        /* run through the whole string, converting as we go */
        while ((ch = *current++) != '\0' && length-- > 0) {
-               if (ch == base64_pad) break;
+               if (ch == base64_pad) {
+                       if (*current != '=' && (i % 4) == 1) {
+                               efree(result);
+                               return NULL;
+                       }
+                       i++;
+                       continue;
+               }
 
                ch = base64_reverse_table[ch];
                if ((!strict && ch < 0) || ch == -1) { /* a space or some other separator character, we simply skip over */