diff options
author | Stanislav Malyshev <stas@php.net> | 2016-08-16 16:03:44 -0700 |
---|---|---|
committer | Ferenc Kovacs <tyra3l@gmail.com> | 2016-08-18 12:53:47 +0200 |
commit | c35e4cb20cdeb02d9d362c57edce11c2948effcd (patch) | |
tree | 04b1b1383d3a40c52393e4874488cea7ff4833bb | |
parent | dc223e524d640167c0f12e942eb52cabd6f89ee4 (diff) | |
download | php-git-c35e4cb20cdeb02d9d362c57edce11c2948effcd.tar.gz |
Fix bug #72850 - integer overflow in uuencode
-rw-r--r-- | ext/standard/uuencode.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c index cd35c288ee..a31f14d824 100644 --- a/ext/standard/uuencode.c +++ b/ext/standard/uuencode.c @@ -153,7 +153,7 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */ while (s < ee) { if(s+4 > e) { goto err; - } + } *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4; *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2; *p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3)); @@ -188,7 +188,7 @@ err: } /* }}} */ -/* {{{ proto string convert_uuencode(string data) +/* {{{ proto string convert_uuencode(string data) uuencode a string */ PHP_FUNCTION(convert_uuencode) { @@ -200,6 +200,11 @@ PHP_FUNCTION(convert_uuencode) } dst_len = php_uuencode(src, src_len, &dst); + if (dst_len < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); + efree(dst); + RETURN_FALSE; + } RETURN_STRINGL(dst, dst_len, 0); } |