Fix bug #67252: convert_uudecode out-of-bounds read

author: Stanislav Malyshev <stas@php.net> 2014-05-11 20:29:27 -0700
committer: Stanislav Malyshev <stas@php.net> 2014-05-11 20:29:27 -0700
commit: 1e2818b143760a79a0887861bd6221b158355073 (patch)
tree: 504775f8090d603394ebd39d0d417cb40e77963c /ext/standard
parent: 2b475eebbea85779989e98e87753d6b023a1d131 (diff)
download: php-git-1e2818b143760a79a0887861bd6221b158355073.tar.gz
2 files changed, 16 insertions, 0 deletions
diff --git a/ext/standard/tests/strings/bug67252.phpt b/ext/standard/tests/strings/bug67252.phpt
new file mode 100644
index 0000000000..80a6ebcf1c
--- /dev/null
+++ b/ext/standard/tests/strings/bug67252.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #67252 (convert_uudecode out-of-bounds read)
+--FILE--
+<?php
+
+$a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."a.";
+var_dump(convert_uudecode($a));
+
+?>
+--EXPECTF--	
+
+Warning: convert_uudecode(): The given parameter is not a valid uuencoded string in %s on line %d
+bool(false)
diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c
index 52e892ed9e..8544aef9f0 100644
--- a/ext/standard/uuencode.c
+++ b/ext/standard/uuencode.c
@@ -151,6 +151,9 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */
 		}
 
 		while (s < ee) {
+			if(s+4 > e) {
+				goto err;
+			} 
 			*p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4;
 			*p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2;
 			*p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3));
author	Stanislav Malyshev <stas@php.net>	2014-05-11 20:29:27 -0700
committer	Stanislav Malyshev <stas@php.net>	2014-05-11 20:29:27 -0700
commit	1e2818b143760a79a0887861bd6221b158355073 (patch)
tree	504775f8090d603394ebd39d0d417cb40e77963c /ext/standard
parent	2b475eebbea85779989e98e87753d6b023a1d131 (diff)
download	php-git-1e2818b143760a79a0887861bd6221b158355073.tar.gz