php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28963 Incorrect ammount of memory allocated for a string in _php_imap_parse_address
Submitted: 2004-06-29 23:29 UTC Modified: 2004-07-04 18:53 UTC
From: af325798 at ohio dot edu Assigned:
Status: Closed Package: Strings related
PHP Version: 4.3.7 OS: Any
Private report: No CVE-ID:
 [2004-06-29 23:29 UTC] af325798 at ohio dot edu
Description:
------------
In file ext/imap/php_imap.c line 3685:
        if ((len = _php_imap_address_size(addresstmp))) {
                tmpstr = (char *) malloc (len); //strings are \0 terminated!

should be:
       if ((len = _php_imap_address_size(addresstmp))) {
                tmpstr = (char *) malloc (len+1); //correct

since C strings are \0 terminated, this bug causes buffer overflow - the contents of 'addresstmp' variable *sometimes* get ovewrritten, this results in an incorrect value of 'str' passed to add_property_string_ex (as seen in a provided stack trace), whih causes segmentation fault.


Reproduce code:
---------------
It's not easily reproducible but it seems to be quite obvious.

Actual result:
--------------
(ladebug) where
>0  0x3ff800d67d0 in strlen(...) in /usr/shlib/libc.so
#1  0x300000c54a0 in add_property_string_ex(arg=0x140289b18, key=0x30040218160="personal", key_len=9, str=0x403130303530334c=(null), duplicate=1) "zend_API.c":980
#2  0x3000010feb0 in _php_imap_parse_address(addresslist=0x1402bf2c0, fulladdress=0x11ffe6a60, paddress=0x14020e118) "php_imap.c":3642
#3  0x300001103a8 in _php_make_header_object(myzvalue=0x140245918, en=0x1402d0c40) "php_imap.c":3674
#4  0x30000101758 in zif_imap_headerinfo(ht=2, return_value=0x140245918, this_ptr=0x0, return_value_used=1) "php_imap.c":1639
#5  0x300000afa60 in execute(op_array=0x1401ccc18) "./zend_execute.c":1598
#6  0x300038094c8


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-07-04 18:53 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 01:01:56 2014 UTC