diff options
author | Stanislav Malyshev <stas@php.net> | 2019-05-27 16:32:42 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-05-27 16:32:42 -0700 |
commit | 7cf7148a8f8f4f55fb04de2a517d740bb6253eac (patch) | |
tree | 2c5f5aa945e0c90dba147abed87b13a85845fda9 | |
parent | ed6dee9a198c904ad5e03113e58a2d2c200f5184 (diff) | |
download | php-git-7cf7148a8f8f4f55fb04de2a517d740bb6253eac.tar.gz |
Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
-rw-r--r-- | ext/iconv/iconv.c | 4 | ||||
-rw-r--r-- | ext/iconv/tests/bug78069.data | bin | 0 -> 107 bytes | |||
-rw-r--r-- | ext/iconv/tests/bug78069.phpt | 15 |
3 files changed, 18 insertions, 1 deletions
diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c index f86d0ae031..b4a2abe08d 100644 --- a/ext/iconv/iconv.c +++ b/ext/iconv/iconv.c @@ -1673,7 +1673,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st * we can do at this point. */ if (*(p1 + 1) == '=') { ++p1; - --str_left; + if (str_left > 1) { + --str_left; + } } err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); diff --git a/ext/iconv/tests/bug78069.data b/ext/iconv/tests/bug78069.data Binary files differnew file mode 100644 index 0000000000..ebd5d0bdcf --- /dev/null +++ b/ext/iconv/tests/bug78069.data diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt new file mode 100644 index 0000000000..1341a5ef4f --- /dev/null +++ b/ext/iconv/tests/bug78069.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow) +--SKIPIF-- +<?php +if (!extension_loaded('iconv')) die('skip ext/iconv required'); +?> +--FILE-- +<?php +$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2); +var_dump(count($hdr)); +?> +DONE +--EXPECT-- +int(1) +DONE
\ No newline at end of file |