diff options
author | Stanislav Malyshev <stas@php.net> | 2019-05-27 16:32:42 -0700 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-05-28 09:01:00 +0200 |
commit | 70523ce41ff400ea00343a03f297332cb1f1b77b (patch) | |
tree | 2992c386bec7573ae80d06c1504bb1e02589be09 | |
parent | 903b1828dcd68f7cf8b9177a3fe6f481bf627ba9 (diff) | |
download | php-git-70523ce41ff400ea00343a03f297332cb1f1b77b.tar.gz |
Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/iconv/iconv.c | 4 | ||||
-rw-r--r-- | ext/iconv/tests/bug78069.data | bin | 0 -> 107 bytes | |||
-rw-r--r-- | ext/iconv/tests/bug78069.phpt | 15 |
4 files changed, 22 insertions, 1 deletions
@@ -19,6 +19,10 @@ PHP NEWS . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm). (CVE-2019-11038) (cmb) +- Iconv: + . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() + due to integer overflow). (CVE-2019-11039). (maris dot adam) + - JSON: . Fixed bug #77843 (Use after free with json serializer). (Nikita) diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c index d80bac77f3..24aefcbba7 100644 --- a/ext/iconv/iconv.c +++ b/ext/iconv/iconv.c @@ -1663,7 +1663,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st * we can do at this point. */ if (*(p1 + 1) == '=') { ++p1; - --str_left; + if (str_left > 1) { + --str_left; + } } err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); diff --git a/ext/iconv/tests/bug78069.data b/ext/iconv/tests/bug78069.data Binary files differnew file mode 100644 index 0000000000..ebd5d0bdcf --- /dev/null +++ b/ext/iconv/tests/bug78069.data diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt new file mode 100644 index 0000000000..1341a5ef4f --- /dev/null +++ b/ext/iconv/tests/bug78069.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow) +--SKIPIF-- +<?php +if (!extension_loaded('iconv')) die('skip ext/iconv required'); +?> +--FILE-- +<?php +$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2); +var_dump(count($hdr)); +?> +DONE +--EXPECT-- +int(1) +DONE
\ No newline at end of file |