php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #7799 Crash when parsing multipart POST in functions/mime.c:187 sbuf==NULL
Submitted: 2000-11-14 04:11 UTC Modified: 2002-06-16 08:21 UTC
From: caseq at paranoia dot ru Assigned:
Status: Not a bug Package: Reproducible Crash
PHP Version: 3.0.17 OS: FreeBSD 3.3-RELEASE
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: caseq at paranoia dot ru
New email:
PHP Version: OS:

 

 [2000-11-14 04:11 UTC] caseq at paranoia dot ru 
php3 sigfaults when processing data coming from multipart POST operation in line 187 of functions/mime.c, as sbuf variable is used unconditionally in call to strlen(), when it is only sometimes initialized to anything non-NULL in state 1.
Stack trace follows, core file available on request.

#0  0x808b176 in php3_mime_split (
    buf=0x81e7010 '-' <repeats 29 times>, "7d037473101bc\r\nContent-Disposition: form-data; name=\"f_process\"\r\n\r\npostattach", cnt=81489, 
    boundary=0xbfbfa7ac '-' <repeats 27 times>, "7d037473101bc", 
    http_post_vars=0xbfbfc834) at functions/mime.c:187
#1  0x808f57e in php3_getpost (http_post_vars=0xbfbfc834)
    at functions/post.c:239
#2  0x808faa1 in php3_treat_data (arg=0, str=0x0) at functions/post.c:443
#3  0x806e654 in _php3_hash_environment () at main.c:1348
#4  0x80b0d3c in lex_scan (phplval=0xbfbfca2c) at language-scanner.lex:814
#5  0x80733a1 in read_next_token (tcm=0x812200c, token=0xbfbfc910, 
    phplval=0xbfbfca2c) at token_cache.c:130
#6  0x806d3c7 in phplex (phplval=0xbfbfca2c) at main.c:488
#7  0x80a79e0 in phpparse () at /usr/lib/bison.simple:432
#8  0x806ea6b in php3_parse (yyin=0x28254398) at main.c:1566
#9  0x806ed14 in apache_php3_module_main (r=0x816d038, fd=18, 
    display_source_mode=0, preprocessed=0) at main.c:1926
#10 0x806c5c5 in send_php3 (r=0x816d038, display_source_mode=0, 
    preprocessed=0, 
    filename=0x816ec10 "/usr/local/www/data/qastone/nbrowse.php3")
    at mod_php3.c:241
#11 0x806c625 in send_parsed_php3 (r=0x816d038) at mod_php3.c:258
#12 0x80b554d in ap_invoke_handler (r=0x816d038) at http_config.c:516
#13 0x80c2e79 in process_request_internal (r=0x816d038) at http_request.c:1282
#14 0x80c2ec7 in ap_process_request (r=0x816d038) at http_request.c:1298
#15 0x80bd048 in child_main (child_num_arg=2) at http_main.c:4298
#16 0x80bd21a in make_child (s=0x8129038, slot=2, now=974191291)
    at http_main.c:4466
#17 0x80bd48d in perform_idle_server_maintenance () at http_main.c:4630
#18 0x80bd879 in standalone_main (argc=3, argv=0xbfbfdad4) at http_main.c:4862
#19 0x80bde03 in main (argc=3, argv=0xbfbfdad4) at http_main.c:5123

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-11-14 06:52 UTC] caseq at paranoia dot ru 
Here's an html to generate request which causes crash when posted to any php3 file (I'm using IE 5.0 as browser). Neither name nor content of file entered in "userfile" input control seem to matter.

<html>
<head>
<title>Test</title>
</head>

<FORM  ENCTYPE="multipart/form-data" ACTION="http://somehost/somefile.php3" METHOD=POST>
<input type="hidden" name="f_process" value="postattach">
<INPUT NAME="userfile" TYPE="file">
<input type=submit name=regular_submit value="Send file">

</body>
</html>
 [2002-06-16 08:21 UTC] sander@php.net 
Thank you for taking the time to report a problem with PHP.
Unfortunately, PHP 3 is no longer supported. Please download
the latest version of PHP 4 from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Dec 16 14:00:02 2025 UTC