ID: 15772
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: *General Issues
Operating System: all
PHP Version: 4.0.6
New Comment:
I'll admit that I did not examine the rest of the program to see if the
buffer was '\0'-terminated, however if it is, it's not just me that
thought it wasn't - whoever wrote the routine thought it wasn't either.
Otherwise there wouldn't even be any point in passing the buffer length
to the function, or the main loop's "while (ptr - buf < cnt)" or indeed
half the function.
As to providing patches, I know from experience that what you tend to
do with them is ignore them, insult them, re-write them badly and apply
them six months later, and then fail to credit. Plus I see no point in
providing band-aids in a futile attempt to cover the gaping wounds in
PHP. I *can* give you the fix I recommend to people for PHP, however,
which is 'rm -rf php-*' ;-)
Previous Comments:
------------------------------------------------------------------------
[2002-02-28 03:21:22] [EMAIL PROTECTED]
We can search and fix what's wrong if there is a bug description, but
it would nice if you could post patch to php-dev directly. We know PHP
has many bugs and appreciate patches fixes bugs.
You have skills, right :)
------------------------------------------------------------------------
[2002-02-28 03:02:27] [EMAIL PROTECTED]
Your claims are simply wrong.
Not a single str* function is able to read beyond the
buffer, cause the buffer is '\0' terminated and
strcmp/strcasecmp whatever will stop there.
------------------------------------------------------------------------
[2002-02-27 23:42:47] [EMAIL PROTECTED]
Fine by me, but the problems are not fixed in CVS. You asked me for
more specifics, I gave them to you.
------------------------------------------------------------------------
[2002-02-27 23:34:49] [EMAIL PROTECTED]
The specific memchr()+1 issue is fixed in CVS which was the only useful
part of this bug report. We close bugs when they are fixed in CVS, not
when we ship releases.
------------------------------------------------------------------------
[2002-02-27 23:20:44] [EMAIL PROTECTED]
It what way is it "fixed"? Every PHP user in the entire world is going
to have to download the patches from www.php.net to fix the security
hole, and those patches contain this bug. I know that it is fixed in
CVS in that the entire file has been replaced, but as I understand it
there is no fixed release version.
As to the other bugs, just look at the main while() loop in
php_mime_split(). Pretty much every call to str* functions (including
the very first one) are reading beyond the end of the buffer. If this
happens, 'rem' may become negative and even more excitement ensues.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/15772
--
Edit this bug report at http://bugs.php.net/?id=15772&edit=1
