ID: 15772
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: *General Issues
Operating System: all
PHP Version: 4.0.6
New Comment:
Your claims are simply wrong.
Not a single str* function is able to read beyond the
buffer, cause the buffer is '\0' terminated and
strcmp/strcasecmp whatever will stop there.
Previous Comments:
------------------------------------------------------------------------
[2002-02-27 23:42:47] [EMAIL PROTECTED]
Fine by me, but the problems are not fixed in CVS. You asked me for
more specifics, I gave them to you.
------------------------------------------------------------------------
[2002-02-27 23:34:49] [EMAIL PROTECTED]
The specific memchr()+1 issue is fixed in CVS which was the only useful
part of this bug report. We close bugs when they are fixed in CVS, not
when we ship releases.
------------------------------------------------------------------------
[2002-02-27 23:20:44] [EMAIL PROTECTED]
It what way is it "fixed"? Every PHP user in the entire world is going
to have to download the patches from www.php.net to fix the security
hole, and those patches contain this bug. I know that it is fixed in
CVS in that the entire file has been replaced, but as I understand it
there is no fixed release version.
As to the other bugs, just look at the main while() loop in
php_mime_split(). Pretty much every call to str* functions (including
the very first one) are reading beyond the end of the buffer. If this
happens, 'rem' may become negative and even more excitement ensues.
------------------------------------------------------------------------
[2002-02-27 22:55:48] [EMAIL PROTECTED]
True, that bit of code made no sense and has been fixed. The entire
thing has been reworked for the 4.2 tree, but if you could expand on
the muriad of buffer overflows aside from the memchr()+1 mixup, and
submit a useful bug report it would be appreciated.
------------------------------------------------------------------------
[2002-02-27 21:40:17] [EMAIL PROTECTED]
Dear morons,
Please observe the following two lines from the 'fix' you have posted
for your file-upload incompetence:
loc = (char *) memchr(ptr, '\n', rem)+1;
if (!loc) {
There's a bug in this code. Can you see what it is? Hint: the 'if'
expression will never evaluate true. Well, that's assuming the first
line doesn't crash since it invokes undefined behaviour.
Hint #2: the whole routine (not just those 2 lines) is still completely
and utterly broken as of revision 1.71.2.2. It is riddled with code
that reads beyond the end of the buffer.
Hint #3: yet again, you need to follow-up to your Bugtraq posting with
a message saying 'Not only were we too stupid to write the code right
in the first place, we were too stupid to fix it right too. Please
ignore our previous patch. Please use this new one, which will probably
be wrong also.'
HTH, HAND.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=15772&edit=1
