ID: 15772
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: *General Issues
Operating System: all
PHP Version: 4.0.6
New Comment:
We can search and fix what's wrong if there is a bug description, but
it would nice if you could post patch to php-dev directly. We know PHP
has many bugs and appreciate patches fixes bugs.
You have skills, right :)
Previous Comments:
------------------------------------------------------------------------
[2002-02-28 03:02:27] [EMAIL PROTECTED]
Your claims are simply wrong.
Not a single str* function is able to read beyond the
buffer, cause the buffer is '\0' terminated and
strcmp/strcasecmp whatever will stop there.
------------------------------------------------------------------------
[2002-02-27 23:42:47] [EMAIL PROTECTED]
Fine by me, but the problems are not fixed in CVS. You asked me for
more specifics, I gave them to you.
------------------------------------------------------------------------
[2002-02-27 23:34:49] [EMAIL PROTECTED]
The specific memchr()+1 issue is fixed in CVS which was the only useful
part of this bug report. We close bugs when they are fixed in CVS, not
when we ship releases.
------------------------------------------------------------------------
[2002-02-27 23:20:44] [EMAIL PROTECTED]
It what way is it "fixed"? Every PHP user in the entire world is going
to have to download the patches from www.php.net to fix the security
hole, and those patches contain this bug. I know that it is fixed in
CVS in that the entire file has been replaced, but as I understand it
there is no fixed release version.
As to the other bugs, just look at the main while() loop in
php_mime_split(). Pretty much every call to str* functions (including
the very first one) are reading beyond the end of the buffer. If this
happens, 'rem' may become negative and even more excitement ensues.
------------------------------------------------------------------------
[2002-02-27 22:55:48] [EMAIL PROTECTED]
True, that bit of code made no sense and has been fixed. The entire
thing has been reworked for the 4.2 tree, but if you could expand on
the muriad of buffer overflows aside from the memchr()+1 mixup, and
submit a useful bug report it would be appreciated.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/15772
--
Edit this bug report at http://bugs.php.net/?id=15772&edit=1
