Patch fix-uudecode for *General Issues Bug #67252

Patch version 2014-05-12 03:30 UTC

• 2014-05-12 03:30 UTC [diff to current]

Developer: stas@php.net

diff --git a/NEWS b/NEWS
index 03f8b87..69e3b8d 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
   . Fixed bug #67245 (usage of memcpy() with overlapping src and dst in
     zend_exceptions.c). (Bob)
   . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas)
+  . Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas)
 
 - Date:
   . Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol)
diff --git a/ext/standard/tests/strings/bug67252.phpt b/ext/standard/tests/strings/bug67252.phpt
new file mode 100644
index 0000000..80a6ebc
--- /dev/null
+++ b/ext/standard/tests/strings/bug67252.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #67252 (convert_uudecode out-of-bounds read)
+--FILE--
+<?php
+
+$a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."a.";
+var_dump(convert_uudecode($a));
+
+?>
+--EXPECTF--	
+
+Warning: convert_uudecode(): The given parameter is not a valid uuencoded string in %s on line %d
+bool(false)
diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c
index 52e892e..8544aef 100644
--- a/ext/standard/uuencode.c
+++ b/ext/standard/uuencode.c
@@ -151,6 +151,9 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */
 		}
 
 		while (s < ee) {
+			if(s+4 > e) {
+				goto err;
+			} 
 			*p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4;
 			*p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2;
 			*p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3));