From 7ba86d078ff3682b07b3c7375b9b279ed987bb32 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 27 Jul 2006 15:37:56 +0000
Subject: [PATCH] Fixed bug #38236 (Binary data gets corrupted on
 multipart/formdata POST).

---
 NEWS                 |  2 ++
 main/php_variables.c | 26 ++++++++++++++++----------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index ba8c2cf4f5..0072dfc510 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,8 @@ PHP                                                                        NEWS
   . Fixed bug #37564 (AES privacy encryption not possible due to net-snmp 5.2
     compatibility issue). (Patch: scott dot moynes+php at gmail dot com)
 
+- Fixed bug #38236 (Binary data gets corrupted on multipart/formdata POST).
+  (Ilia)
 - Fixed bug #38234 (Exception in __clone makes memory leak). (Dmitry, Nuno)
 - Fixed bug #38229 (strtotime() does not parse YYYY-MM format). (Ilia)
 - Fixed bug #38224 (session extension can't handle broken cookies). (Ilia)
diff --git a/main/php_variables.c b/main/php_variables.c
index f1570e94dd..789511391f 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -216,31 +216,37 @@ plain_var:
 
 SAPI_API SAPI_POST_HANDLER_FUNC(php_std_post_handler)
 {
-	char *var, *val;
-	char *strtok_buf = NULL;
+	char *var, *val, *e, *s, *p;
 	zval *array_ptr = (zval *) arg;
 
 	if (SG(request_info).post_data == NULL) {
 		return;
 	}	
 
-	var = php_strtok_r(SG(request_info).post_data, "&", &strtok_buf);
+	s = SG(request_info).post_data;
+	e = s + SG(request_info).post_data_length;
 
-	while (var) {
-		val = strchr(var, '=');
-		if (val) { /* have a value */
+	while (s < e && (p = memchr(s, '&', (e - s)))) {
+last_value:
+		if ((val = memchr(s, '=', (p - s)))) { /* have a value */
 			unsigned int val_len, new_val_len;
 
-			*val++ = '\0';
-			php_url_decode(var, strlen(var));
-			val_len = php_url_decode(val, strlen(val));
+			var = s;
+
+			php_url_decode(var, (val - s));
+			val++;
+			val_len = php_url_decode(val, (p - val));
 			val = estrndup(val, val_len);
 			if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
 				php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
 			}
 			efree(val);
 		}
-		var = php_strtok_r(NULL, "&", &strtok_buf);
+		s = p + 1;
+	}
+	if (s < e) {
+		p = e;
+		goto last_value;
 	}
 }
 
-- 
2.50.1