Re: PHP: Calendar Buffer Overflow

[Martin Pitt <martin.pitt () canonical com>]

Hi!

FistFucker [2005-06-27  7:02 +0200]:
> There are some nice sprintf()'s in "\ext\calendar\calendar.c":
> 'sprintf(date, "%i/%i/%i", month, day, year);'
>
> Example exploitation (4.3.11):
>
>
> <?php
>
> JDToGregorian(999999999);
>
> ?>

Interesting that this works on Windows. I took a look at the code:

PHP_FUNCTION(jdtogregorian)
{
    pval **julday;
    int year, month, day;
    char date[10];
    [...]
    sprintf(date, "%i/%i/%i", month, day, year);

    RETURN_STRING(date, 1);
}

The biggest string length I could get is 15 characters. That would
merely overflow into the "year, month, day" integers, but not even
close to the function's return address. 

Of course that is a bug that should be fixed in CVS head, but I think
it's not exploitable, so it does not require a security update as far
as I can see.

Thanks for the report,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/