From 853d71400896b9f7ea0d3ec59f3789439a407380 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Tue, 24 Aug 2004 15:25:59 +0000 Subject: [PATCH] MFH: Fixed bug #29821 (Fixed possible crashes in convert_uudecode() on invalid data). --- NEWS | 2 ++ ext/standard/uuencode.c | 17 +++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/NEWS b/NEWS index 82940287f1..cd832d2056 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,8 @@ PHP NEWS (Paul Hudson, Derick) - Fixed bug with raw_post_data not getting set (Brian) - Fixed a file-descriptor leak with phpinfo() and other 'special' URLs (Zeev) +- Fixed bug #29821 (Fixed possible crashes in convert_uudecode() on invalid + data). (Ilia) - Fixed bug #29737 (ip2long should return -1 if IP is 255.255.255.255 and FALSE on error). (Tony) - Fixed bug #29711 (Changed ext/xml to default to UTF-8 output). (Rob) diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c index 544fda1cac..9606fbaccb 100644 --- a/ext/standard/uuencode.c +++ b/ext/standard/uuencode.c @@ -136,9 +136,18 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) if ((len = PHP_UU_DEC(*s++)) <= 0) { break; } + /* sanity check */ + if (len > src_len) { + goto err; + } + total_len += len; ee = s + (len == 45 ? 60 : (int) floor(len * 1.33)); + /* sanity check */ + if (ee > e) { + goto err; + } while (s < ee) { *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4; @@ -168,6 +177,10 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) *(*dest + total_len) = '\0'; return total_len; + +err: + efree(*dest); + return -1; } /* {{{ proto string uuencode(string data) @@ -199,6 +212,10 @@ PHP_FUNCTION(convert_uudecode) } dst_len = php_uudecode(src, src_len, &dst); + if (dst_len < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The given parameter is not a valid uuencoded string."); + RETURN_FALSE; + } RETURN_STRINGL(dst, dst_len, 0); } -- 2.40.0