Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to intege...

diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
index f86d0ae031987a12d45b9c10efc255f58262966b..b4a2abe08d9a02e9e6c07f51a8f4ebe895f0d003 100644 (file)
--- a/ext/iconv/iconv.c
+++ b/ext/iconv/iconv.c
@@ -1673,7 +1673,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st
                                                         * we can do at this point. */
                                                        if (*(p1 + 1) == '=') {
                                                                ++p1;
-                                                               --str_left;
+                                                               if (str_left > 1) {
+                                                                       --str_left;
+                                                               }
                                                        }
 
                                                        err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);

diff --git a/ext/iconv/tests/bug78069.data b/ext/iconv/tests/bug78069.data
new file mode 100644 (file)
index 0000000..ebd5d0b
Binary files /dev/null and b/ext/iconv/tests/bug78069.data differ

diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt
new file mode 100644 (file)
index 0000000..1341a5e
--- /dev/null
+++ b/ext/iconv/tests/bug78069.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('iconv')) die('skip ext/iconv required');
+?>
+--FILE--
+<?php
+$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2);
+var_dump(count($hdr));
+?>
+DONE
+--EXPECT--
+int(1)
+DONE
\ No newline at end of file