From: vesely at tana dot it Operating system: Any PHP version: 4.3.0 PHP Bug Type: HTTP related Bug description: Weak parsing in rfc1867.c
Hi, watch out rfc1867.c around line 342, in function next_line() there is (was?) the following code: if (ptr) { /* ... */ } else { /* ... */ line[self->bufsize] = 0; self->buf_begin = ptr; /* <=== */ self->bytes_in_buffer = 0; } ptr is obviously NULL, buf_begin should never be NULL or the program may crash. So this is a potential vulnerability for DOS attackers who submit long lines. Since you're there, would you mind to check why at line 721, in the rfc1867_post_handler function, there is boundary_end = strchr(boundary, ','); Shouldn't it be ';' (semicolon) rather than ',' (comma)? (Just wandering) -- Edit bug report at http://bugs.php.net/?id=22657&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=22657&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=22657&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=22657&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=22657&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=22657&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=22657&r=support Expected behavior: http://bugs.php.net/fix.php?id=22657&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=22657&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=22657&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=22657&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=22657&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=22657&r=dst IIS Stability: http://bugs.php.net/fix.php?id=22657&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=22657&r=gnused