PHP :: Bug #15849 :: Bugs found in rfc1867.c by source inspection

Bug #15849	Bugs found in rfc1867.c by source inspection
Submitted:	2002-03-03 17:11 UTC	Modified:	2002-03-03 18:14 UTC
From:	wg at malloc dot de	Assigned:
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	4.1.2	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	wg at malloc dot de
New email:
PHP Version:		OS:

New Comment:

[2002-03-03 17:11 UTC] wg at malloc dot de

The following was found by source code inspection:

You can't add 1 to the result of a memchr() and then
still expect to be able to check for a NULL result.

Regards,
Wolfram.

--- php4-4.1.2/main/rfc1867.c.orig      Thu Feb 21 19:46:45 2002
+++ php4-4.1.2/main/rfc1867.c   Sun Mar  3 22:11:42 2002
@@ -162,15 +162,15 @@
                                                SAFE_RETURN;
                                        }
                                        /* some other headerfield found, skip it
 */
-                                       loc = (char *) memchr(ptr, '\n', rem)+1;
+                                       loc = (char *) memchr(ptr, '\n', rem);
                                        if (!loc) {
                                                /* broken */
                                                php_error(E_WARNING, "File Uploa
d Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2), *(ptr +
 3), *(ptr + 4));
                                                SAFE_RETURN;
                                        }
-                                       while (*loc == ' ' || *loc == '\t') {
+                                       while (*++loc == ' ' || *loc == '\t') {
                                                /* other field is folded, skip i
t */
-                                               loc = (char *) memchr(loc, '\n',
 rem-(loc-ptr))+1;
+                                               loc = (char *) memchr(loc, '\n',
 rem-(loc-ptr));
                                                if (!loc) {
                                                        /* broken */
                                                        php_error(E_WARNING, "Fi
le Upload Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2),
 *(ptr + 3), *(ptr + 4));

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-03 18:14 UTC] sniper@php.net

Yes, you're right and this has already been fixed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 22 19:01:31 2024 UTC