Fixed possible buffer overflow in php_base64_decode();

Moriyoshi Koizumi · Moriyoshi Koizumi · commit aeb6a6c45884 · 2002-12-01T02:44:50.000Z
# This bug doesn't appear to be harmful for now,
# so I won't merge it into branches...
diff --git a/ext/standard/base64.c b/ext/standard/base64.c
@@ -140,7 +140,7 @@ unsigned char *php_base64_decode(const unsigned char *str, int length, int *ret_
 	}
 
 	/* run through the whole string, converting as we go */
-	while ((ch = *current++) != '\0') {
+	while ((ch = *current++) != '\0' && length-- > 0) {
 		if (ch == base64_pad) break;
 
 	    /* When Base64 gets POSTed, all pluses are interpreted as spaces.

Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,7 @@ unsigned char php_base64_decode(const unsigned char str, int length, int *ret_`
`140`	`140`	`}`
`141`	`141`
`142`	`142`	`/* run through the whole string, converting as we go */`
`143`		`- while ((ch = *current++) != '\0') {`
	`143`	`+ while ((ch = *current++) != '\0' && length-- > 0) {`
`144`	`144`	`if (ch == base64_pad) break;`
`145`	`145`
`146`	`146`	`/* When Base64 gets POSTed, all pluses are interpreted as spaces.`