47 lines
1.7 KiB
Diff
47 lines
1.7 KiB
Diff
Backported for 5.4, from 5.6, by Remi
|
|
|
|
|
|
From 78bffa72c1ad8936eae51270f93be17a9c58cfc1 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Mon, 3 Dec 2018 02:12:11 -0800
|
|
Subject: [PATCH] Fix null pointer deref in qprint-encode filter (bug #77231)
|
|
|
|
---
|
|
NEWS | 4 ++++
|
|
ext/standard/filters.c | 2 +-
|
|
ext/standard/tests/filters/bug77231.phpt | 11 +++++++++++
|
|
3 files changed, 16 insertions(+), 1 deletion(-)
|
|
create mode 100644 ext/standard/tests/filters/bug77231.phpt
|
|
|
|
diff --git a/ext/standard/filters.c b/ext/standard/filters.c
|
|
index dc7b0d86dcd3..9718a45be25e 100644
|
|
--- a/ext/standard/filters.c
|
|
+++ b/ext/standard/filters.c
|
|
@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins
|
|
line_ccnt--;
|
|
CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt);
|
|
} else {
|
|
- if (line_ccnt < 4) {
|
|
+ if (line_ccnt < 4 && inst->lbchars != NULL) {
|
|
if (ocnt < inst->lbchars_len + 1) {
|
|
err = PHP_CONV_ERR_TOO_BIG;
|
|
break;
|
|
diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt
|
|
new file mode 100644
|
|
index 000000000000..17967ee80fc5
|
|
--- /dev/null
|
|
+++ b/ext/standard/tests/filters/bug77231.phpt
|
|
@@ -0,0 +1,11 @@
|
|
+--TEST--
|
|
+Bug #77231 (Segfault when using convert.quoted-printable-encode filter)
|
|
+--FILE--
|
|
+<?php
|
|
+var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA')));
|
|
+?>
|
|
+--EXPECT--
|
|
+array(1) {
|
|
+ [0]=>
|
|
+ string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA"
|
|
+}
|
|
\ No newline at end of file
|
