Re: CVE request: php-5.2.6 overflow issues

[Joe Orton <jorton () redhat com>]

On Fri, Aug 08, 2008 at 03:31:45PM +0200, Christian Hoffmann wrote:
>   * Overflow in ext/gd's imageloadfont() function [1] [2] [3]
>   * Overflow in php's internal memnstr() function which is exposed
>     to userspace as "explode()" [1] [2] [4] [5]
>
> As those functions might take user-supplied data in certain webapps  
> (which is a valid use case at least in case of explode()), those issues  
> should probably expected to be remotely exploitable.

The explode() bug could only be triggered if a script passed a delimiter 
from untrusted script input without sanitizing/checking it first, which 
is fairly pathological behaviour.  I would call that a script bug, not 
an issue in the PHP interpreter.

e.g looking through the first ~80 hits from:

http://www.google.com/codesearch?hl=en&q=+lang:php+explode\+*\(&start=70&sa=N

as expected, every explode() call uses a constant/trusted delimiter.

Regards, Joe (please CC me on replies)