Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow

smalyshev · cmb69 · commit 70523ce41ff4 · 2019-05-28T09:01:00.000+02:00
(cherry picked from commit 7cf7148)
diff --git a/NEWS b/NEWS
@@ -19,6 +19,10 @@ PHP                                                                        NEWS
   . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm).
     (CVE-2019-11038) (cmb)
 
+- Iconv:
+  . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
+    due to integer overflow). (CVE-2019-11039). (maris dot adam)
+
 - JSON:
   . Fixed bug #77843 (Use after free with json serializer). (Nikita)
 
diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
@@ -1663,7 +1663,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st
 							 * we can do at this point. */
 							if (*(p1 + 1) == '=') {
 								++p1;
-								--str_left;
+								if (str_left > 1) {
+									--str_left;
+								}
 							}
 
 							err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);
diff --git a/ext/iconv/tests/bug78069.data b/ext/iconv/tests/bug78069.data
diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('iconv')) die('skip ext/iconv required');
+?>
+--FILE--
+<?php
+$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2);
+var_dump(count($hdr));
+?>
+DONE
+--EXPECT--
+int(1)
+DONE
