Bugtraq mailing list archives
Re: [GSA2001-01] PHP IMAP overflow fix problems
From: Anil Madhavapeddy <anil () RECOIL ORG>
Date: Tue, 6 Mar 2001 09:56:35 +0000
Quoting pre <pre () GEEKGANG CO UK>:
This issue appears to be fixed in the current CVS version of PHP (I haven't tested it, just looked at the code). The gsa2001-01.diff patch against php-4.0.4pl1 reverts the imap module to 4.0.3 behavior, without reintroducing the buffer overflow.
Attached is a patch against php-4.0.4pl1 (backported from php-cvs), which cures the problem without imposing 80-character limits or using static buffers. Just committed it to the OpenBSD-current port of PHP4. Thanks max () horde org for testing under Linux. -- Anil Madhavapeddy, <anil () recoil org>
--- ext/imap/php_imap.c.orig Tue Mar 6 09:22:17 2001 +++ ext/imap/php_imap.c Tue Mar 6 09:24:10 2001 @@ -25,7 +25,7 @@ | PHP 4.0 updates: Zeev Suraski <zeev () zend com> | +----------------------------------------------------------------------+ */ -/* $Id: php_imap.c,v 1.50 2000/10/25 17:43:52 andrei Exp $ */ +/* $Id: php_imap.c,v 1.57 2001/02/21 20:33:46 thies Exp $ */ #define IMAP41 @@ -183,7 +183,19 @@ void mail_close_it(zend_rsrc_list_entry *rsrc) { pils *imap_le_struct = (pils *)rsrc->ptr; + IMAPLS_FETCH(); + mail_close_full(imap_le_struct->imap_stream, imap_le_struct->flags); + + if (IMAPG(imap_user)) { + efree(IMAPG(imap_user)); + IMAPG(imap_user) = 0; + } + if (IMAPG(imap_password)) { + efree(IMAPG(imap_password)); + IMAPG(imap_password) = 0; + } + efree(imap_le_struct); } @@ -633,6 +645,14 @@ } } + if (IMAPG(imap_user)) { + efree(IMAPG(imap_user)); + } + + if (IMAPG(imap_password)) { + efree(IMAPG(imap_password)); + } + IMAPG(imap_user) = estrndup(Z_STRVAL_PP(user), Z_STRLEN_PP(user)); IMAPG(imap_password) = estrndup(Z_STRVAL_PP(passwd), Z_STRLEN_PP(passwd)); @@ -712,6 +732,8 @@ } } efree(hashed_details); + efree(IMAPG(imap_user)); IMAPG(imap_user) = 0; + efree(IMAPG(imap_password)); IMAPG(imap_password) = 0; RETURN_FALSE; } @@ -721,6 +743,8 @@ node = malloc(sizeof(pils)); if (node == NULL) { efree(hashed_details); + efree(IMAPG(imap_user)); IMAPG(imap_user) = 0; + efree(IMAPG(imap_password)); IMAPG(imap_password) = 0; RETURN_FALSE; } @@ -757,6 +781,8 @@ free(headp); efree(hashed_details); + efree(IMAPG(imap_user)); IMAPG(imap_user) = 0; + efree(IMAPG(imap_password)); IMAPG(imap_password) = 0; RETURN_FALSE; } @@ -766,11 +792,11 @@ } else { #endif imap_stream = mail_open(NIL, Z_STRVAL_PP(mailbox), flags); - efree(IMAPG(imap_user)); - efree(IMAPG(imap_password)); if (imap_stream == NIL) { php_error(E_WARNING, "Couldn't open stream %s\n", (*mailbox)->value.str.val); + efree(IMAPG(imap_user)); IMAPG(imap_user) = 0; + efree(IMAPG(imap_password)); IMAPG(imap_password) = 0; RETURN_FALSE; }
Current thread:
- [GSA2001-01] PHP IMAP overflow fix problems pre (Mar 05)
- <Possible follow-ups>
- Re: [GSA2001-01] PHP IMAP overflow fix problems Anil Madhavapeddy (Mar 06)