ID: 15772
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Closed
Bug Type: *General Issues
Operating System: all
PHP Version: 4.0.6
New Comment:
True, that bit of code made no sense and has been fixed. The entire
thing has been reworked for the 4.2 tree, but if you could expand on
the muriad of buffer overflows aside from the memchr()+1 mixup, and
submit a useful bug report it would be appreciated.
Previous Comments:
------------------------------------------------------------------------
[2002-02-27 21:40:17] [EMAIL PROTECTED]
Dear morons,
Please observe the following two lines from the 'fix' you have posted
for your file-upload incompetence:
loc = (char *) memchr(ptr, '\n', rem)+1;
if (!loc) {
There's a bug in this code. Can you see what it is? Hint: the 'if'
expression will never evaluate true. Well, that's assuming the first
line doesn't crash since it invokes undefined behaviour.
Hint #2: the whole routine (not just those 2 lines) is still completely
and utterly broken as of revision 1.71.2.2. It is riddled with code
that reads beyond the end of the buffer.
Hint #3: yet again, you need to follow-up to your Bugtraq posting with
a message saying 'Not only were we too stupid to write the code right
in the first place, we were too stupid to fix it right too. Please
ignore our previous patch. Please use this new one, which will probably
be wrong also.'
HTH, HAND.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=15772&edit=1
