Fix bug #67252: convert_uudecode out-of-bounds read

author Stanislav Malyshev <stas@php.net>

Mon, 12 May 2014 03:29:27 +0000 (20:29 -0700)

committer Stanislav Malyshev <stas@php.net>

Fri, 18 Jul 2014 23:05:52 +0000 (16:05 -0700)
author Stanislav Malyshev <stas@php.net>
Mon, 12 May 2014 03:29:27 +0000 (20:29 -0700)
committer Stanislav Malyshev <stas@php.net>
Fri, 18 Jul 2014 23:05:52 +0000 (16:05 -0700)
diff --git a/ext/standard/tests/strings/bug67252.phpt b/ext/standard/tests/strings/bug67252.phpt

new file mode 100644 (file)

index 0000000..80a6ebc
--- /dev/null
+++ b/ext/standard/tests/strings/bug67252.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #67252 (convert_uudecode out-of-bounds read)
+--FILE--
+<?php
+
+$a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."a.";
+var_dump(convert_uudecode($a));
+
+?>
+--EXPECTF--    
+
+Warning: convert_uudecode(): The given parameter is not a valid uuencoded string in %s on line %d
+bool(false)
diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c

index f0142ed0499646a31fd2c7d661917a1eb33d4c9c..212ab706bb5cab3b91729f5483a573ca4c4d1d60 100644 (file)
--- a/ext/standard/uuencode.c
+++ b/ext/standard/uuencode.c
@@ -151,6 +151,9 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */
                 }
  
                 while (s < ee) {
+                       if(s+4 > e) {
+                               goto err;
+                       } 
                         *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4;
                         *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2;
                         *p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3));
author	Stanislav Malyshev <stas@php.net>
	Mon, 12 May 2014 03:29:27 +0000 (20:29 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Fri, 18 Jul 2014 23:05:52 +0000 (16:05 -0700)
ext/standard/tests/strings/bug67252.phpt	[new file with mode: 0644]	patch \| blob
ext/standard/uuencode.c		patch \| blob \| history