Guys, I fixed this memchr()+1 issue a couple of days ago. See
http://cvs.php.net/diff.php/php4/main/rfc1867.c?r1=1.71.2.2&r2=1.71.2.3&ty=u
It's a crash-bug, not an exploitable buffer problem. If we need a 4.1.3
for some reason, it will be in there.
-Rasmus
On Fri, 1 Mar 2002, Yasuo Ohgaki wrote:
> Jes,
>
> Could you post your patch to php-dev?
>
> PS: We should have patch submition guide.
>
> --
> Yasuo Ohgaki
>
> [EMAIL PROTECTED] wrote:
> > ID: 15772
> > Updated by: [EMAIL PROTECTED]
> > Reported By: [EMAIL PROTECTED]
> > Status: Closed
> > Bug Type: *General Issues
> > Operating System: all
> > PHP Version: 4.0.6
> > New Comment:
> >
> > I have had a long look at rfc1867.c v 1.71.2.2 2002/02/21
> > from a download of php4.1.2 today (1 Mar 10:00 CET). There are a large
> > number of dubious cases of handling of the buffer being processed. The
> > following diffs address most of these (I believe). I am posting the
> > patches to the php-dev list, since it's difficult if not impossible to
> > create a properfly formatted diff in this edit window.
> >
> >
> > Previous Comments:
> > ------------------------------------------------------------------------
> >
> > [2002-02-28 17:50:58] [EMAIL PROTECTED]
> >
> > How about this patch:
> >
> > --- main/rfc1867.c.orig Thu Feb 28 14:08:25 2002
> > +++ main/rfc1867.c Thu Feb 28 14:33:03 2002
> > @@ -163,20 +163,28 @@
> > SAFE_RETURN;
> > }
> > /* some other headerfield
> > found, skip it */
> > - loc = (char *) memchr(ptr,
> > '\n', rem)+1;
> > + loc = (char *) memchr(ptr,
> > '\n', rem);
> > if (!loc) {
> > /* broken */
> > php_error(E_WARNING,
> > "File Upload Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1),
> > *(ptr + 2), *(ptr
> > + 3), *(ptr + 4));
> > SAFE_RETURN;
> > }
> > + else
> > + {
> > + loc++;
> > + }
> > while (*loc == ' ' || *loc ==
> > '\t') {
> > /* other field is
> > folded, skip it */
> > - loc = (char *)
> > memchr(loc, '\n', rem-(loc-ptr))+1;
> > + loc = (char *)
> > memchr(loc, '\n', rem-(loc-ptr));
> > if (!loc) {
> > /* broken */
> >
> > php_error(E_WARNING, "File Upload Mime headers garbled ptr:
> > [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr +
> > 2), *(ptr + 3), *(ptr + 4));
> > SAFE_RETURN;
> > }
> > + else
> > + {
> > + loc++;
> > + }
> > }
> > rem -= (loc - ptr);
> > ptr = loc;
> > @@ -232,6 +240,10 @@
> > * pre 4.0.6 code here
> > */
> > loc2 = memchr(loc + 1, '\n',
> > rem);
> > + if (!loc2) {
> > + php_error(E_WARNING,
> > "File Upload Mime headers - no newline");
> > + SAFE_RETURN;
> > + }
> > rem -= (loc2 - ptr) + 1;
> > ptr = loc2 + 1;
> > /* is_arr_upload is true when
> > name of file upload field
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
