summaryrefslogtreecommitdiffstats
path: root/php-bug78069.patch
blob: 583db1d3058beb2e3528709525750b619907e89f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Without test as binary patch not supported




From aabd02d6dd1eab180486cff933dc8d08d4297e38 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 27 May 2019 16:32:42 -0700
Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in
 iconv.c:_php_iconv_mime_decode() due to integer overflow

(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac)
---
 ext/iconv/iconv.c             |   4 +++-
 ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes
 ext/iconv/tests/bug78069.phpt |  15 +++++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 ext/iconv/tests/bug78069.data
 create mode 100644 ext/iconv/tests/bug78069.phpt

diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
index 335dbd17e9..bbc4b0f5e3 100644
--- a/ext/iconv/iconv.c
+++ b/ext/iconv/iconv.c
@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st
 							 * we can do at this point. */
 							if (*(p1 + 1) == '=') {
 								++p1;
-								--str_left;
+								if (str_left > 1) {
+									--str_left;
+								}
 							}
 
 							err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);