Fix bug #67252: convert_uudecode out-of-bounds read

2 files changed, 16 insertions, 0 deletions

diff --git a/ext/standard/tests/strings/bug67252.phpt b/ext/standard/tests/strings/bug67252.phpt
new file mode 100644
index 0000000000..80a6ebcf1c
--- /dev/null
+++ b/ext/standard/tests/strings/bug67252.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #67252 (convert_uudecode out-of-bounds read)
+--FILE--
+<?php
+
+$a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."a.";
+var_dump(convert_uudecode($a));
+
+?>
+--EXPECTF--	
+
+Warning: convert_uudecode(): The given parameter is not a valid uuencoded string in %s on line %d
+bool(false)
diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c
index f0142ed049..212ab706bb 100644
--- a/ext/standard/uuencode.c
+++ b/ext/standard/uuencode.c
@@ -151,6 +151,9 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */
 		}
 
 		while (s < ee) {
+			if(s+4 > e) {
+				goto err;
+			} 
 			*p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4;
 			*p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2;
 			*p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3));