ID: 12227 Comment by: our-peace388 at hotmail dot com Reported By: brueckner at respublica dot de Status: Closed Bug Type: Output Control Operating System: Linux 2.2.16-SMP PHP Version: 4.2.0-dev Assigned To: yohgaki New Comment:
<a href=http://advanced-quickfood.da.ru>peace our</a> Previous Comments: ------------------------------------------------------------------------ [2002-05-03 23:07:24] [EMAIL PROTECTED] This bug has been fixed in CVS. You can grab a snapshot of the CVS version at http://snaps.php.net/ ------------------------------------------------------------------------ [2002-04-05 05:19:32] lucifer at vengeance dot et dot tudelft dot nl the following testcase even crashes PHP4. it seems if you assign a value to the given parameter (here $s) which is larger than the original, it will crash. copying the input into a seperate variable and work with that is a workaround. still this simple buffer overflow ought to be easy to fix? using 4.1.1 (build dec 30, 2001): ob_start( "handler" ); function handler( $s ) { $s = $s."foobar foobar foobar"; return $s; } ------------------------------------------------------------------------ [2002-02-12 22:38:01] [EMAIL PROTECTED] Last patch that I memtioned still have problem with simple output handler like ob_handler($buffer) { $result = $buffer; return $result; } This could happen easily when user conditinally convert buffer.... To fix this segfualt completely, it seems I have to copy buffer before pass it to user defined output handler. ------------------------------------------------------------------------ [2002-02-07 02:29:33] [EMAIL PROTECTED] Anyone who are interested in this problem. here is a patch for this problem. This should solve unwanted free for this specific case. Question is do we really want this? Index: main/output.c =================================================================== RCS file: /repository/php4/main/output.c,v retrieving revision 1.84 diff -u -r1.84 output.c --- main/output.c 7 Feb 2002 02:50:28 -0000 1.84 +++ main/output.c 7 Feb 2002 06:31:35 -0000 @@ -164,7 +164,7 @@ ALLOC_INIT_ZVAL(orig_buffer); ZVAL_STRINGL(orig_buffer, OG(active_ob_buffer).buffer, OG(active_ob_buffer).text_length, 0); orig_buffer->refcount=2; /* don't let call_user_function() destroy our buffer */ - orig_buffer->is_ref=1; + orig_buffer->is_ref=0; ALLOC_INIT_ZVAL(z_status); ZVAL_LONG(z_status, status); ------------------------------------------------------------------------ [2002-02-05 18:28:22] [EMAIL PROTECTED] Easy one to fix :) <?php ob_start("my_flush"); function my_flush($buffer) { $buffer = preg_replace("/(<!--REPLACE\\s.*?-->)/e", "parse(\"\\1\")", $buffer); return $buffer; } ?> /home/yohgaki/public_html/bugs/12227/bug.php(9) : Warning - String is not zero-terminated (ZZZZZZZZZZZZZZ ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/12227 -- Edit this bug report at http://bugs.php.net/?id=12227&edit=1
