|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2004-07-04 18:53 UTC] iliaa@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 20:01:29 2024 UTC |
Description: ------------ In file ext/imap/php_imap.c line 3685: if ((len = _php_imap_address_size(addresstmp))) { tmpstr = (char *) malloc (len); //strings are \0 terminated! should be: if ((len = _php_imap_address_size(addresstmp))) { tmpstr = (char *) malloc (len+1); //correct since C strings are \0 terminated, this bug causes buffer overflow - the contents of 'addresstmp' variable *sometimes* get ovewrritten, this results in an incorrect value of 'str' passed to add_property_string_ex (as seen in a provided stack trace), whih causes segmentation fault. Reproduce code: --------------- It's not easily reproducible but it seems to be quite obvious. Actual result: -------------- (ladebug) where >0 0x3ff800d67d0 in strlen(...) in /usr/shlib/libc.so #1 0x300000c54a0 in add_property_string_ex(arg=0x140289b18, key=0x30040218160="personal", key_len=9, str=0x403130303530334c=(null), duplicate=1) "zend_API.c":980 #2 0x3000010feb0 in _php_imap_parse_address(addresslist=0x1402bf2c0, fulladdress=0x11ffe6a60, paddress=0x14020e118) "php_imap.c":3642 #3 0x300001103a8 in _php_make_header_object(myzvalue=0x140245918, en=0x1402d0c40) "php_imap.c":3674 #4 0x30000101758 in zif_imap_headerinfo(ht=2, return_value=0x140245918, this_ptr=0x0, return_value_used=1) "php_imap.c":1639 #5 0x300000afa60 in execute(op_array=0x1401ccc18) "./zend_execute.c":1598 #6 0x300038094c8