diff options
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/iconv/iconv.c | 4 | ||||
| -rw-r--r-- | ext/iconv/tests/bug78069.data | bin | 0 -> 107 bytes | |||
| -rw-r--r-- | ext/iconv/tests/bug78069.phpt | 15 |
4 files changed, 22 insertions, 1 deletions
@@ -19,6 +19,10 @@ PHP NEWS . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm). (CVE-2019-11038) (cmb) +- Iconv: + . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() + due to integer overflow). (CVE-2019-11039). (maris dot adam) + - JSON: . Fixed bug #77843 (Use after free with json serializer). (Nikita) diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c index d80bac77f3..24aefcbba7 100644 --- a/ext/iconv/iconv.c +++ b/ext/iconv/iconv.c @@ -1663,7 +1663,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st * we can do at this point. */ if (*(p1 + 1) == '=') { ++p1; - --str_left; + if (str_left > 1) { + --str_left; + } } err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); diff --git a/ext/iconv/tests/bug78069.data b/ext/iconv/tests/bug78069.data Binary files differnew file mode 100644 index 0000000000..ebd5d0bdcf --- /dev/null +++ b/ext/iconv/tests/bug78069.data diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt new file mode 100644 index 0000000000..1341a5ef4f --- /dev/null +++ b/ext/iconv/tests/bug78069.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow) +--SKIPIF-- +<?php +if (!extension_loaded('iconv')) die('skip ext/iconv required'); +?> +--FILE-- +<?php +$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2); +var_dump(count($hdr)); +?> +DONE +--EXPECT-- +int(1) +DONE
\ No newline at end of file |