PHP :: Bug #10167 :: potential Bufferoverflow in extensions based on skeleton...

Bug #10167	potential Bufferoverflow in extensions based on skeleton...
Submitted:	2001-04-04 14:15 UTC	Modified:	2001-04-06 11:00 UTC
From:	s dot esser at ematters dot de	Assigned:
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	4.0 Latest CVS (04/04/2001)	OS:	all
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 46 - 17 = ?
Subscribe to this entry?

[2001-04-04 14:15 UTC] s dot esser at ematters dot de

When i was looking through the CVS version of php, i discovered the following piece of code in skeleton.c

---snip---

PHP_FUNCTION(confirm_extname_compiled)
{
        zval **arg;
        int len;
        char string[256];
...
...
...
len = sprintf(string, "Congratulations, you have successfully modified ....
t/extname/config.m4, module %s is compiled into PHP", Z_STRVAL_PP(arg));

---snap---

of course the sprintf could be used to perform a standart bufferoverflow. It should be better changed into ... %.50s ... or similiar to do not create a potential vulnerability.

As far as i can see ircg and cybermut sources still have the compile confirmation in them...

ciao,
Stefan Esser

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-04-06 11:00 UTC] elixer@php.net

Updated in CVS.  Thank you for your report.

Sean

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 26 09:01:29 2024 UTC