Backported for 5.4/5.5, from 5.6, by Remi


From 78bffa72c1ad8936eae51270f93be17a9c58cfc1 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 3 Dec 2018 02:12:11 -0800
Subject: [PATCH] Fix null pointer deref in qprint-encode filter (bug #77231)

---
 NEWS                                     |  4 ++++
 ext/standard/filters.c                   |  2 +-
 ext/standard/tests/filters/bug77231.phpt | 11 +++++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/filters/bug77231.phpt

diff --git a/ext/standard/filters.c b/ext/standard/filters.c
index dc7b0d86dcd3..9718a45be25e 100644
--- a/ext/standard/filters.c
+++ b/ext/standard/filters.c
@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins
 			line_ccnt--;
 			CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt);
 		} else {
-			if (line_ccnt < 4) {
+			if (line_ccnt < 4 && inst->lbchars != NULL) {
 				if (ocnt < inst->lbchars_len + 1) {
 					err = PHP_CONV_ERR_TOO_BIG;
 					break;
diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt
new file mode 100644
index 000000000000..17967ee80fc5
--- /dev/null
+++ b/ext/standard/tests/filters/bug77231.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #77231 (Segfault when using convert.quoted-printable-encode filter)
+--FILE--
+<?php
+var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA')));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA"
+}
\ No newline at end of file