php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15849 Bugs found in rfc1867.c by source inspection
Submitted: 2002-03-03 17:11 UTC Modified: 2002-03-03 18:14 UTC
From: wg at malloc dot de Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 4.1.2 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: wg at malloc dot de
New email:
PHP Version: OS:

 

 [2002-03-03 17:11 UTC] wg at malloc dot de
The following was found by source code inspection:

You can't add 1 to the result of a memchr() and then
still expect to be able to check for a NULL result.

Regards,
Wolfram.

--- php4-4.1.2/main/rfc1867.c.orig      Thu Feb 21 19:46:45 2002
+++ php4-4.1.2/main/rfc1867.c   Sun Mar  3 22:11:42 2002
@@ -162,15 +162,15 @@
                                                SAFE_RETURN;
                                        }
                                        /* some other headerfield found, skip it
 */
-                                       loc = (char *) memchr(ptr, '\n', rem)+1;
+                                       loc = (char *) memchr(ptr, '\n', rem);
                                        if (!loc) {
                                                /* broken */
                                                php_error(E_WARNING, "File Uploa
d Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2), *(ptr +
 3), *(ptr + 4));
                                                SAFE_RETURN;
                                        }
-                                       while (*loc == ' ' || *loc == '\t') {
+                                       while (*++loc == ' ' || *loc == '\t') {
                                                /* other field is folded, skip i
t */
-                                               loc = (char *) memchr(loc, '\n',
 rem-(loc-ptr))+1;
+                                               loc = (char *) memchr(loc, '\n',
 rem-(loc-ptr));
                                                if (!loc) {
                                                        /* broken */
                                                        php_error(E_WARNING, "Fi
le Upload Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr + 2),
 *(ptr + 3), *(ptr + 4));

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-03 18:14 UTC] sniper@php.net
Yes, you're right and this has already been fixed.

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 07:01:28 2024 UTC