php-bug78069.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

Without test as binary patch not supported


From 17d5e269dabc704c1cf24ebb03056142e28c9bfe Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 27 May 2019 16:32:42 -0700
Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in
 iconv.c:_php_iconv_mime_decode() due to integer overflow

(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac)
---
 ext/iconv/iconv.c             |   4 +++-
 ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes
 ext/iconv/tests/bug78069.phpt |  15 +++++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 ext/iconv/tests/bug78069.data
 create mode 100644 ext/iconv/tests/bug78069.phpt

diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
index ea619aa227..06145348f2 100644
--- a/ext/iconv/iconv.c
+++ b/ext/iconv/iconv.c
@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st
 							 * we can do at this point. */
 							if (*(p1 + 1) == '=') {
 								++p1;
-								--str_left;
+								if (str_left > 1) {
+									--str_left;
+								}
 							}
 
 							err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);