From: Stanislav Malyshev <stas@php.net>
Date: Mon, 12 May 2014 03:29:27 +0000 (-0700)
Subject: Fix bug #67252: convert_uudecode out-of-bounds read
X-Git-Tag: php-5.3.29RC1~17
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7f527897fe3e333f43bbed67741287d355ab4b2b;p=php

Fix bug #67252: convert_uudecode out-of-bounds read
---

diff --git a/ext/standard/tests/strings/bug67252.phpt b/ext/standard/tests/strings/bug67252.phpt
new file mode 100644
index 0000000000..80a6ebcf1c
--- /dev/null
+++ b/ext/standard/tests/strings/bug67252.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #67252 (convert_uudecode out-of-bounds read)
+--FILE--
+<?php
+
+$a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."a.";
+var_dump(convert_uudecode($a));
+
+?>
+--EXPECTF--	
+
+Warning: convert_uudecode(): The given parameter is not a valid uuencoded string in %s on line %d
+bool(false)
diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c
index f0142ed049..212ab706bb 100644
--- a/ext/standard/uuencode.c
+++ b/ext/standard/uuencode.c
@@ -151,6 +151,9 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */
 		}
 
 		while (s < ee) {
+			if(s+4 > e) {
+				goto err;
+			} 
 			*p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4;
 			*p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2;
 			*p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3));