diff options
author | Stanislav Malyshev <stas@php.net> | 2018-12-03 02:12:11 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2018-12-03 10:19:08 -0800 |
commit | 78bffa72c1ad8936eae51270f93be17a9c58cfc1 (patch) | |
tree | 4aaf391f03805681c71a63d238f2aa4df75ccb13 | |
parent | 48f0f73f75c0059ba5d9b73cb4e5faeeaea49c47 (diff) | |
download | php-git-78bffa72c1ad8936eae51270f93be17a9c58cfc1.tar.gz |
Fix null pointer deref in qprint-encode filter (bug #77231)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/standard/filters.c | 2 | ||||
-rw-r--r-- | ext/standard/tests/filters/bug77231.phpt | 11 |
3 files changed, 16 insertions, 1 deletions
@@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2018, PHP 5.6.39 +- Core: + . Fixed bug #77231 (Segfault when using convert.quoted-printable-encode + filter). (Stas) + - IMAP: . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb) . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via diff --git a/ext/standard/filters.c b/ext/standard/filters.c index dc7b0d86dc..9718a45be2 100644 --- a/ext/standard/filters.c +++ b/ext/standard/filters.c @@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins line_ccnt--; CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt); } else { - if (line_ccnt < 4) { + if (line_ccnt < 4 && inst->lbchars != NULL) { if (ocnt < inst->lbchars_len + 1) { err = PHP_CONV_ERR_TOO_BIG; break; diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt new file mode 100644 index 0000000000..17967ee80f --- /dev/null +++ b/ext/standard/tests/filters/bug77231.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #77231 (Segfault when using convert.quoted-printable-encode filter) +--FILE-- +<?php +var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA'))); +?> +--EXPECT-- +array(1) { + [0]=> + string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA" +}
\ No newline at end of file |