Fix null pointer deref in qprint-encode filter (bug #77231)

3 files changed, 16 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 727e874f97..303f2a0348 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2018, PHP 5.6.39
 
+- Core:
+  . Fixed bug #77231 (Segfault when using convert.quoted-printable-encode 
+    filter). (Stas)
+
 - IMAP:
   . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb)
   . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via
diff --git a/ext/standard/filters.c b/ext/standard/filters.c
index dc7b0d86dc..9718a45be2 100644
--- a/ext/standard/filters.c
+++ b/ext/standard/filters.c
@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins
 			line_ccnt--;
 			CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt);
 		} else {
-			if (line_ccnt < 4) {
+			if (line_ccnt < 4 && inst->lbchars != NULL) {
 				if (ocnt < inst->lbchars_len + 1) {
 					err = PHP_CONV_ERR_TOO_BIG;
 					break;
diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt
new file mode 100644
index 0000000000..17967ee80f
--- /dev/null
+++ b/ext/standard/tests/filters/bug77231.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #77231 (Segfault when using convert.quoted-printable-encode filter)
+--FILE--
+<?php
+var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA')));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA"
+}
\ No newline at end of file