base64_decode: reorder to fix out of bounds read

author: Lauri Kenttä <lauri.kentta@gmail.com> 2016-05-25 20:28:45 +0300
committer: Nikita Popov <nikic@php.net> 2016-07-07 01:27:22 +0200
commit: c65de8ac1302a3b9825a6abe19c87fe45c68698a (patch)
tree: a8193f9aedf926b90511b584ee17706fd1a698a8
parent: ea640e611726cf0fd8b63f38f2f6c9063105ce29 (diff)
download: php-git-c65de8ac1302a3b9825a6abe19c87fe45c68698a.tar.gz
1 files changed, 12 insertions, 9 deletions
diff --git a/ext/standard/base64.c b/ext/standard/base64.c
index 81f826c9a8..352e7ea52c 100644
--- a/ext/standard/base64.c
+++ b/ext/standard/base64.c
@@ -143,16 +143,19 @@ PHPAPI zend_string *php_base64_decode_ex(const unsigned char *str, size_t length
 	result = zend_string_alloc(length, 0);
 
 	/* run through the whole string, converting as we go */
-	while ((ch = *current++) != '\0' && length-- > 0) {
+	while (length-- > 0 && (ch = *current++) != '\0') {
 		if (ch == base64_pad) {
-			if (*current != '=' && ((i % 4) == 1 || (strict && length > 0))) {
-				if ((i % 4) != 1) {
-					while (isspace(*(++current))) {
-						continue;
-					}
-					if (*current == '\0') {
-						continue;
-					}
+			if (i % 4 == 1) {
+				if (length == 0 || *current != '=') {
+					zend_string_free(result);
+					return NULL;
+				}
+			} else if (length > 0 && *current != '=' && strict) {
+				while (--length > 0 && isspace(*++current)) {
+					continue;
+				}
+				if (length == 0 || *current == '\0') {
+					continue;
 				}
 				zend_string_free(result);
 				return NULL;
author	Lauri Kenttä <lauri.kentta@gmail.com>	2016-05-25 20:28:45 +0300
committer	Nikita Popov <nikic@php.net>	2016-07-07 01:27:22 +0200
commit	c65de8ac1302a3b9825a6abe19c87fe45c68698a (patch)
tree	a8193f9aedf926b90511b584ee17706fd1a698a8
parent	ea640e611726cf0fd8b63f38f2f6c9063105ce29 (diff)
download	php-git-c65de8ac1302a3b9825a6abe19c87fe45c68698a.tar.gz