|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65776 Incorrect line endings causes segfault in convert.quoted-printable-encode
Submitted: 2013-09-27 18:50 UTC Modified: 2020-09-07 12:28 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: mrubinsk at horde dot org Assigned: cmb (profile)
Status: Duplicate Package: Streams related
PHP Version: 5.4.20 OS: OSX, Ubuntu
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: mrubinsk at horde dot org
New email:
PHP Version: OS:


 [2013-09-27 18:50 UTC] mrubinsk at horde dot org
When using the convert.quoted-printable-encode stream filter, if the stream contains a single bare CR line ending at the end of the stream when line-break-chars is set to CRLF this can cause a segfault with certain values of line-length.

Changing the line-length in the test script, or setting line-break-chars to "\r" prevents the segfault.

Test script:
$data = fopen('php://temp', 'r+');
fwrite($data, "test\r\ntest\r\n\r");

$stream = fopen("php://temp", 'r+');
stream_filter_append($stream, 'convert.quoted-printable-encode', STREAM_FILTER_WRITE, array('line-length' => 5, 'line-break-chars' => "\r\n"));
stream_copy_to_stream($data, $stream);

Expected result:
The data should be copied from the $data stream to the $stream stream, applying the convert filter.

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-08 11:29 UTC]
-Assigned To: +Assigned To: moriyoshi
 [2013-10-08 11:29 UTC]
hey Moriyoshi:

 seems these codes are obviously wrong,  if in_pp is null but the lb_ptr is smaller than lb_cnt, then it must segfault in the later "*in_pp";


   if ((in_pp == NULL || in_left_p == NULL) && (lb_ptr >=lb_cnt)) {
        return PHP_CONV_ERR_SUCCESS;

    ps = (unsigned char *)(*in_pp);
 [2013-10-09 02:52 UTC] slusarz at curecanti dot org
I can verify that this change:

-   if ((in_pp == NULL || in_left_p == NULL) && (lb_ptr >=lb_cnt)) {
+   if ((in_pp == NULL || in_left_p == NULL)) {
        return PHP_CONV_ERR_SUCCESS;

fixes things.  I'm not sure this affects anything else (I doubt it because, as laurence noted, once in_pp or in_left_p is null, there is no way anything else further in the method could ever be executed, since both will dereference a null pointer long before that.)
 [2017-10-24 06:33 UTC]
-Status: Assigned +Status: Open -Assigned To: moriyoshi +Assigned To:
 [2020-09-07 12:28 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-09-07 12:28 UTC]
This issue has long been resolved; marking as duplicate of bug
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Dec 05 21:01:28 2023 UTC