|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27460 base64_decode fails to follow RFC 3548 completely
Submitted: 2004-03-02 09:43 UTC Modified: 2004-03-06 13:58 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: naish at klanen dot net Assigned:
Status: Closed Package: URL related
PHP Version: 4.3.4 OS: Suse Linux 9.0 (2.4.21)
Private report: No CVE-ID:
 [2004-03-02 09:43 UTC] naish at klanen dot net
If a base64 encoded string contains a non-needed "=" at the end of the string base64_decode returns false even though the string has been correctly decoded.

The standard for base64 even specifies that a file may contain non-needed padding chars.

- snip -
Furthermore, such specifications may consider the pad character, "=", as not part of the base alphabet until the end of the string.  If more than the allowed number of pad characters are found at the end of the string, e.g., a base 64 string terminated with "===", the excess pad characters could be ignored.
- /snip -

The fix is simple. In ext/standard/base64.c insert the following code:

        if (ch == base64_pad) {
                switch(i % 4) {
                case 1:
                        return NULL;
                case 2:
                case 3:
                        result[k++] = 0;

in the base64_decode function. Notice that the only thing I did was remove "case 0:" on line 191.

Reproduce code:


	echo $string."\n";

	//Insert a not-needed padding char.

	//This returns false even though $string is valid base64

Expected result:
$string should been encoded to base64 and later decoded with 1 extra "=" added at the end.

Actual result:
PHP fails to decode the string properly.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2004-03-06 13:58 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Mon Nov 30 18:01:32 2015 UTC