]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 48f0f73)
Fix null pointer deref in qprint-encode filter (bug #77231)
authorStanislav Malyshev <stas@php.net>
Mon, 3 Dec 2018 10:12:11 +0000 (02:12 -0800)
committerStanislav Malyshev <stas@php.net>
Mon, 3 Dec 2018 18:19:08 +0000 (10:19 -0800)
NEWS patch | blob | history
ext/standard/filters.c patch | blob | history
ext/standard/tests/filters/bug77231.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index 727e874f97c1fad7072d701db94f4b347c81a107..303f2a0348a6a637674db9f7c804376b33028d09 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2018, PHP 5.6.39
 
+- Core:
+  . Fixed bug #77231 (Segfault when using convert.quoted-printable-encode 
+    filter). (Stas)
+
 - IMAP:
   . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb)
   . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via
diff --git a/ext/standard/filters.c b/ext/standard/filters.c
index dc7b0d86dcd33bee8dfdc6a16b471851445765ac..9718a45be25e56446cd5bb2c4c475afd7f3a3e54 100644 (file)
--- a/ext/standard/filters.c
+++ b/ext/standard/filters.c
@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins
                        line_ccnt--;
                        CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt);
                } else {
-                       if (line_ccnt < 4) {
+                       if (line_ccnt < 4 && inst->lbchars != NULL) {
                                if (ocnt < inst->lbchars_len + 1) {
                                        err = PHP_CONV_ERR_TOO_BIG;
                                        break;
diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt
new file mode 100644 (file)
index 0000000..17967ee
--- /dev/null
+++ b/ext/standard/tests/filters/bug77231.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #77231 (Segfault when using convert.quoted-printable-encode filter)
+--FILE--
+<?php
+var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA')));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA"
+}
\ No newline at end of file
Unnamed repository; edit this file 'description' to name the repository.