PHP :: Bug #7799 :: Crash when parsing multipart POST in functions/mime.c:187 sbuf==NULL

Bug #7799	Crash when parsing multipart POST in functions/mime.c:187 sbuf==NULL
Submitted:	2000-11-14 04:11 UTC	Modified:	2002-06-16 08:21 UTC
From:	caseq at paranoia dot ru	Assigned:
Status:	Not a bug	Package:	Reproducible Crash
PHP Version:	3.0.17	OS:	FreeBSD 3.3-RELEASE
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	caseq at paranoia dot ru
New email:
PHP Version:		OS:

New/Additional Comment:

[2000-11-14 04:11 UTC] caseq at paranoia dot ru

php3 sigfaults when processing data coming from multipart POST operation in line 187 of functions/mime.c, as sbuf variable is used unconditionally in call to strlen(), when it is only sometimes initialized to anything non-NULL in state 1.
Stack trace follows, core file available on request.

#0  0x808b176 in php3_mime_split (
    buf=0x81e7010 '-' <repeats 29 times>, "7d037473101bc\r\nContent-Disposition: form-data; name=\"f_process\"\r\n\r\npostattach", cnt=81489, 
    boundary=0xbfbfa7ac '-' <repeats 27 times>, "7d037473101bc", 
    http_post_vars=0xbfbfc834) at functions/mime.c:187
#1  0x808f57e in php3_getpost (http_post_vars=0xbfbfc834)
    at functions/post.c:239
#2  0x808faa1 in php3_treat_data (arg=0, str=0x0) at functions/post.c:443
#3  0x806e654 in _php3_hash_environment () at main.c:1348
#4  0x80b0d3c in lex_scan (phplval=0xbfbfca2c) at language-scanner.lex:814
#5  0x80733a1 in read_next_token (tcm=0x812200c, token=0xbfbfc910, 
    phplval=0xbfbfca2c) at token_cache.c:130
#6  0x806d3c7 in phplex (phplval=0xbfbfca2c) at main.c:488
#7  0x80a79e0 in phpparse () at /usr/lib/bison.simple:432
#8  0x806ea6b in php3_parse (yyin=0x28254398) at main.c:1566
#9  0x806ed14 in apache_php3_module_main (r=0x816d038, fd=18, 
    display_source_mode=0, preprocessed=0) at main.c:1926
#10 0x806c5c5 in send_php3 (r=0x816d038, display_source_mode=0, 
    preprocessed=0, 
    filename=0x816ec10 "/usr/local/www/data/qastone/nbrowse.php3")
    at mod_php3.c:241
#11 0x806c625 in send_parsed_php3 (r=0x816d038) at mod_php3.c:258
#12 0x80b554d in ap_invoke_handler (r=0x816d038) at http_config.c:516
#13 0x80c2e79 in process_request_internal (r=0x816d038) at http_request.c:1282
#14 0x80c2ec7 in ap_process_request (r=0x816d038) at http_request.c:1298
#15 0x80bd048 in child_main (child_num_arg=2) at http_main.c:4298
#16 0x80bd21a in make_child (s=0x8129038, slot=2, now=974191291)
    at http_main.c:4466
#17 0x80bd48d in perform_idle_server_maintenance () at http_main.c:4630
#18 0x80bd879 in standalone_main (argc=3, argv=0xbfbfdad4) at http_main.c:4862
#19 0x80bde03 in main (argc=3, argv=0xbfbfdad4) at http_main.c:5123

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-11-14 06:52 UTC] caseq at paranoia dot ru

Here's an html to generate request which causes crash when posted to any php3 file (I'm using IE 5.0 as browser). Neither name nor content of file entered in "userfile" input control seem to matter.

<html>
<head>
<title>Test</title>
</head>

<FORM  ENCTYPE="multipart/form-data" ACTION="http://somehost/somefile.php3" METHOD=POST>
<input type="hidden" name="f_process" value="postattach">
<INPUT NAME="userfile" TYPE="file">
<input type=submit name=regular_submit value="Send file">

</body>
</html>

[2002-06-16 08:21 UTC] sander@php.net

Thank you for taking the time to report a problem with PHP.
Unfortunately, PHP 3 is no longer supported. Please download
the latest version of PHP 4 from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 06:01:30 2024 UTC