Here comes the diff - but again i cannot compile it under windows and therefore i never compiled it :-( If uses spprintf instead of s/n)printf where appropriate and uses a buffer on stack for chunked data instead of a static buffer.
marcus cvs -z3 -q diff -w win32\sendmail.c (in directory S:\php4\) Index: win32/sendmail.c =================================================================== RCS file: /repository/php4/win32/sendmail.c,v retrieving revision 1.44 diff -u -w -r1.44 sendmail.c --- win32/sendmail.c 14 Jun 2002 05:42:08 -0000 1.44 +++ win32/sendmail.c 22 Jun 2002 13:25:18 -0000 @@ -63,7 +63,6 @@ } #ifndef THREAD_SAFE -char Buffer[MAIL_BUFFER_SIZE]; /* socket related data */ SOCKET sc; @@ -341,6 +340,7 @@ // Author/Date: jcar 20/9/96 // History: //*******************************************************************/ +#define CHUNK_BUFFER_SIZE 1024 int SendText(char *RPath, char *Subject, char *mailTo, char *data, char *headers, char *headers_lc, char **error_message) { int res, i; @@ -348,6 +348,8 @@ char *tempMailTo, *token, *pos1, *pos2; char *server_response = NULL; char *stripped_header = NULL; + char *Buffer; + char ChunkBuffer[CHUNK_BUFFER_SIZE+1]; /* check for NULL parameters */ if (data == NULL) @@ -366,23 +368,33 @@ return (BAD_MSG_DESTINATION); */ - sprintf(Buffer, "HELO %s\r\n", LocalHost); + spprintf(&Buffer, 0, "HELO %s\r\n", LocalHost); + if (!Buffer) + return OUT_OF_MEMORY; /* in the beggining of the dialog */ /* attempt reconnect if the first Post fail */ if ((res = Post(Buffer)) != SUCCESS) { MailConnect(); - if ((res = Post(Buffer)) != SUCCESS) + if ((res = Post(Buffer)) != SUCCESS) { + efree(Buffer); return (res); } + } + efree(Buffer); if ((res = Ack(&server_response)) != SUCCESS) { SMTP_ERROR_RESPONSE(server_response); return (res); } - snprintf(Buffer, MAIL_BUFFER_SIZE, "MAIL FROM:<%s>\r\n", RPath); - if ((res = Post(Buffer)) != SUCCESS) + spprintf(&Buffer, 0, "MAIL FROM:<%s>\r\n", RPath); + if (!Buffer) + return OUT_OF_MEMORY; + if ((res = Post(Buffer)) != SUCCESS) { + efree(Buffer); return (res); + } + efree(Buffer); if ((res = Ack(&server_response)) != SUCCESS) { SMTP_ERROR_RESPONSE(server_response); return W32_SM_SENDMAIL_FROM_MALFORMED; @@ -394,11 +406,15 @@ token = strtok(tempMailTo, ","); while(token != NULL) { - snprintf(Buffer, MAIL_BUFFER_SIZE, "RCPT TO:<%s>\r\n", token); + spprintf(&Buffer, 0, "RCPT TO:<%s>\r\n", token); + if (!Buffer) + return OUT_OF_MEMORY; if ((res = Post(Buffer)) != SUCCESS) { efree(tempMailTo); + efree(Buffer); return (res); } + efree(Buffer); if ((res = Ack(&server_response)) != SUCCESS) { SMTP_ERROR_RESPONSE(server_response); efree(tempMailTo); @@ -426,9 +442,14 @@ token = strtok(tempMailTo, ","); while(token != NULL) { - sprintf(Buffer, "RCPT TO:<%s>\r\n", token); - if ((res = Post(Buffer)) != SUCCESS) + spprintf(&Buffer, 0, "RCPT TO:<%s>\r\n", token); + if (!Buffer) + return OUT_OF_MEMORY; + if ((res = Post(Buffer)) != SUCCESS) { + efree(Buffer); return (res); + } + efree(Buffer); if ((res = Ack(&server_response)) != SUCCESS) { SMTP_ERROR_RESPONSE(server_response); return (res); @@ -460,10 +481,14 @@ token = strtok(tempMailTo, ","); while(token != NULL) { - sprintf(Buffer, "RCPT TO:<%s>\r\n", token); + spprintf(&Buffer, 0, "RCPT TO:<%s>\r\n", token); + if (!Buffer) + return OUT_OF_MEMORY; if ((res = Post(Buffer)) != SUCCESS) { + efree(Buffer); return (res); } + efree(Buffer); if ((res = Ack(&server_response)) != SUCCESS) { SMTP_ERROR_RESPONSE(server_response); return (res); @@ -525,7 +550,7 @@ /* send message contents in 1024 chunks */ - if (strlen(data) <= 1024) { + if (strlen(data) <= CHUNK_BUFFER_SIZE) { if ((res = Post(data)) != SUCCESS) return (res); } else { @@ -533,18 +558,18 @@ while (1) { if (*p == '\0') break; - if (strlen(p) >= 1024) - i = 1024; + if (strlen(p) >= CHUNK_BUFFER_SIZE) + i = CHUNK_BUFFER_SIZE; else i = strlen(p); /* put next chunk in buffer */ - strncpy(Buffer, p, i); - Buffer[i] = '\0'; + strncpy(ChunkBuffer, p, i); + ChunkBuffer[i] = '\0'; p += i; /* send chunk */ - if ((res = Post(Buffer)) != SUCCESS) + if ((res = Post(ChunkBuffer)) != SUCCESS) return (res); } } At 11:35 11.06.2002, you wrote: >Why not using spprintf which does not require to allocate the buffer before >calling the function? > >marcus > >At 00:10 03.06.2002, Markus Fischer wrote: >>mfischer Sun Jun 2 18:10:25 2002 EDT >> >> Modified files: >> /php4/win32 sendmail.c >> Log: >> - Try to fix most of the buffer overflows and dynamically allocate >> memory where >> applicable. >> >> >>Index: php4/win32/sendmail.c >>diff -u php4/win32/sendmail.c:1.35 php4/win32/sendmail.c:1.36 >>--- php4/win32/sendmail.c:1.35 Sun Jun 2 13:13:48 2002 >>+++ php4/win32/sendmail.c Sun Jun 2 18:10:25 2002 >>@@ -17,7 +17,7 @@ >> * >> */ >> >>-/* $Id: sendmail.c,v 1.35 2002/06/02 17:13:48 mfischer Exp $ */ >>+/* $Id: sendmail.c,v 1.36 2002/06/02 22:10:25 mfischer Exp $ */ (...)