base64_decode: reorder to fix out of bounds read

author: Lauri Kenttä <lauri.kentta@gmail.com> 2016-05-25 20:28:45 +0300
committer: Nikita Popov <nikic@php.net> 2016-07-05 16:51:36 +0200
commit: 59d36bfcf2b3241843883f6f728e1b93224df12a (patch)
tree: a8deeba99795b8e9ebd981155384bab3f0881ea8 /ext/standard/base64.c
parent: f22bc6438dcaf55bf80e7be972f3374d31dbaae5 (diff)
download: php-git-59d36bfcf2b3241843883f6f728e1b93224df12a.tar.gz
1 files changed, 12 insertions, 9 deletions
diff --git a/ext/standard/base64.c b/ext/standard/base64.c
index 81f826c9a8..352e7ea52c 100644
--- a/ext/standard/base64.c
+++ b/ext/standard/base64.c
@@ -143,16 +143,19 @@ PHPAPI zend_string *php_base64_decode_ex(const unsigned char *str, size_t length
 	result = zend_string_alloc(length, 0);
 
 	/* run through the whole string, converting as we go */
-	while ((ch = *current++) != '\0' && length-- > 0) {
+	while (length-- > 0 && (ch = *current++) != '\0') {
 		if (ch == base64_pad) {
-			if (*current != '=' && ((i % 4) == 1 || (strict && length > 0))) {
-				if ((i % 4) != 1) {
-					while (isspace(*(++current))) {
-						continue;
-					}
-					if (*current == '\0') {
-						continue;
-					}
+			if (i % 4 == 1) {
+				if (length == 0 || *current != '=') {
+					zend_string_free(result);
+					return NULL;
+				}
+			} else if (length > 0 && *current != '=' && strict) {
+				while (--length > 0 && isspace(*++current)) {
+					continue;
+				}
+				if (length == 0 || *current == '\0') {
+					continue;
 				}
 				zend_string_free(result);
 				return NULL;
author	Lauri Kenttä <lauri.kentta@gmail.com>	2016-05-25 20:28:45 +0300
committer	Nikita Popov <nikic@php.net>	2016-07-05 16:51:36 +0200
commit	59d36bfcf2b3241843883f6f728e1b93224df12a (patch)
tree	a8deeba99795b8e9ebd981155384bab3f0881ea8 /ext/standard/base64.c
parent	f22bc6438dcaf55bf80e7be972f3374d31dbaae5 (diff)
download	php-git-59d36bfcf2b3241843883f6f728e1b93224df12a.tar.gz