blob: 8a2e237e9e02c405f4a958c9a94e676ef964ff64 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
Backported for 5.4, from 5.6, by Remi
From 78bffa72c1ad8936eae51270f93be17a9c58cfc1 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 3 Dec 2018 02:12:11 -0800
Subject: [PATCH] Fix null pointer deref in qprint-encode filter (bug #77231)
---
NEWS | 4 ++++
ext/standard/filters.c | 2 +-
ext/standard/tests/filters/bug77231.phpt | 11 +++++++++++
3 files changed, 16 insertions(+), 1 deletion(-)
create mode 100644 ext/standard/tests/filters/bug77231.phpt
diff --git a/ext/standard/filters.c b/ext/standard/filters.c
index dc7b0d86dcd3..9718a45be25e 100644
--- a/ext/standard/filters.c
+++ b/ext/standard/filters.c
@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins
line_ccnt--;
CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt);
} else {
- if (line_ccnt < 4) {
+ if (line_ccnt < 4 && inst->lbchars != NULL) {
if (ocnt < inst->lbchars_len + 1) {
err = PHP_CONV_ERR_TOO_BIG;
break;
diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt
new file mode 100644
index 000000000000..17967ee80fc5
--- /dev/null
+++ b/ext/standard/tests/filters/bug77231.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #77231 (Segfault when using convert.quoted-printable-encode filter)
+--FILE--
+<?php
+var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA')));
+?>
+--EXPECT--
+array(1) {
+ [0]=>
+ string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA"
+}
\ No newline at end of file
|
