From 5c62f3f68e38dd12a8e2f590f5f52d11d0aad8a6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Lauri=20Kentt=C3=A4?= <lauri.kentta@gmail.com>
Date: Mon, 11 Jul 2016 12:40:08 +0300
Subject: [PATCH] base64_decode: strict: Fail on excessive padding

---
 ext/standard/base64.c                               | 5 +++++
 ext/standard/tests/url/base64_decode_basic_001.phpt | 8 ++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/ext/standard/base64.c b/ext/standard/base64.c
index cf6951ba8d..374628d861 100644
--- a/ext/standard/base64.c
+++ b/ext/standard/base64.c
@@ -197,6 +197,11 @@ PHPAPI zend_string *php_base64_decode_ex(const unsigned char *str, size_t length
 	if (strict && i % 4 == 1) {
 		goto fail;
 	}
+	/* fail if the padding length is wrong (not VV==, VVV=), but accept zero padding
+	 * RFC 4648: "In some circumstances, the use of padding [--] is not required" */
+	if (strict && padding && (padding > 2 || (i + padding) % 4 != 0)) {
+		goto fail;
+	}
 
 	ZSTR_LEN(result) = j;
 	ZSTR_VAL(result)[ZSTR_LEN(result)] = '\0';
diff --git a/ext/standard/tests/url/base64_decode_basic_001.phpt b/ext/standard/tests/url/base64_decode_basic_001.phpt
index 7aba807e19..e1469c37e8 100644
--- a/ext/standard/tests/url/base64_decode_basic_001.phpt
+++ b/ext/standard/tests/url/base64_decode_basic_001.phpt
@@ -9,7 +9,7 @@ Test base64_decode() function : basic functionality - ensure all base64 alphabet
  */
 
 echo "Decode an input string containing the whole base64 alphabet:\n";
-$allbase64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
+$allbase64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/VV==";
 var_dump(bin2hex(base64_decode($allbase64)));
 var_dump(bin2hex(base64_decode($allbase64, false)));
 var_dump(bin2hex(base64_decode($allbase64, true)));
@@ -18,7 +18,7 @@ echo "Done";
 ?>
 --EXPECTF--
 Decode an input string containing the whole base64 alphabet:
-string(96) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf"
-string(96) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf"
-string(96) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf"
+string(98) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf55"
+string(98) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf55"
+string(98) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf55"
 Done
\ No newline at end of file
-- 
2.40.0