base64_decode: reorder to fix out of bounds read

diff --git a/ext/standard/base64.c b/ext/standard/base64.c
index 81f826c9a8a71905c532dfcb087346f577c94082..352e7ea52c966acbde4bcb2851aa9a48ad67bfec 100644 (file)
--- a/ext/standard/base64.c
+++ b/ext/standard/base64.c
@@ -143,16 +143,19 @@ PHPAPI zend_string *php_base64_decode_ex(const unsigned char *str, size_t length
        result = zend_string_alloc(length, 0);
 
        /* run through the whole string, converting as we go */
-       while ((ch = *current++) != '\0' && length-- > 0) {
+       while (length-- > 0 && (ch = *current++) != '\0') {
                if (ch == base64_pad) {
-                       if (*current != '=' && ((i % 4) == 1 || (strict && length > 0))) {
-                               if ((i % 4) != 1) {
-                                       while (isspace(*(++current))) {
-                                               continue;
-                                       }
-                                       if (*current == '\0') {
-                                               continue;
-                                       }
+                       if (i % 4 == 1) {
+                               if (length == 0 || *current != '=') {
+                                       zend_string_free(result);
+                                       return NULL;
+                               }
+                       } else if (length > 0 && *current != '=' && strict) {
+                               while (--length > 0 && isspace(*++current)) {
+                                       continue;
+                               }
+                               if (length == 0 || *current == '\0') {
+                                       continue;
                                }
                                zend_string_free(result);
                                return NULL;