Fix null pointer deref in qprint-encode filter (bug #77231)

php · Dec 4, 2018 · 09cb571 · 09cb571
1 parent 8852e24
commit 09cb571
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -17,6 +17,10 @@ PHP                                                                        NEWS
   . Fixed bug #77147 (Fixing 60494 ignored ICONV_MIME_DECODE_CONTINUE_ON_ERROR).
     (cmb)
 
+- Core:
+  . Fixed bug #77231 (Segfault when using convert.quoted-printable-encode 
+    filter). (Stas)
+
 - IMAP:
   . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via
     mailbox parameter). (Stas)

diff --git a/ext/standard/filters.c b/ext/standard/filters.c
@@ -917,7 +917,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins
 			line_ccnt--;
 			CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt);
 		} else {
-			if (line_ccnt < 4) {
+			if (line_ccnt < 4 && inst->lbchars != NULL) {
 				if (ocnt < inst->lbchars_len + 1) {
 					err = PHP_CONV_ERR_TOO_BIG;
 					break;

diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #77231 (Segfault when using convert.quoted-printable-encode filter)
+--FILE--
+<?php
+var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA')));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA"
+}