php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28963 Incorrect ammount of memory allocated for a string in _php_imap_parse_address
Submitted: 2004-06-29 23:29 UTC Modified: 2004-07-04 18:53 UTC
From: af325798 at ohio dot edu Assigned:
Status: Closed Package: Strings related
PHP Version: 4.3.7 OS: Any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: af325798 at ohio dot edu
New email:
PHP Version: OS:

 

 [2004-06-29 23:29 UTC] af325798 at ohio dot edu
Description:
------------
In file ext/imap/php_imap.c line 3685:
        if ((len = _php_imap_address_size(addresstmp))) {
                tmpstr = (char *) malloc (len); //strings are \0 terminated!

should be:
       if ((len = _php_imap_address_size(addresstmp))) {
                tmpstr = (char *) malloc (len+1); //correct

since C strings are \0 terminated, this bug causes buffer overflow - the contents of 'addresstmp' variable *sometimes* get ovewrritten, this results in an incorrect value of 'str' passed to add_property_string_ex (as seen in a provided stack trace), whih causes segmentation fault.


Reproduce code:
---------------
It's not easily reproducible but it seems to be quite obvious.

Actual result:
--------------
(ladebug) where
>0  0x3ff800d67d0 in strlen(...) in /usr/shlib/libc.so
#1  0x300000c54a0 in add_property_string_ex(arg=0x140289b18, key=0x30040218160="personal", key_len=9, str=0x403130303530334c=(null), duplicate=1) "zend_API.c":980
#2  0x3000010feb0 in _php_imap_parse_address(addresslist=0x1402bf2c0, fulladdress=0x11ffe6a60, paddress=0x14020e118) "php_imap.c":3642
#3  0x300001103a8 in _php_make_header_object(myzvalue=0x140245918, en=0x1402d0c40) "php_imap.c":3674
#4  0x30000101758 in zif_imap_headerinfo(ht=2, return_value=0x140245918, this_ptr=0x0, return_value_used=1) "php_imap.c":1639
#5  0x300000afa60 in execute(op_array=0x1401ccc18) "./zend_execute.c":1598
#6  0x300038094c8


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-07-04 18:53 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Oct 12 21:01:26 2024 UTC