#28963 [NEW]: Incorrect ammount of memory allocated for a string in _php_imap_parse_address

Tue, 29 Jun 2004 14:29:33 -0700 

From:             af325798 at ohio dot edu
Operating system: Any
PHP version:      4.3.7
PHP Bug Type:     Strings related
Bug description:  Incorrect ammount of memory allocated for a string in 
_php_imap_parse_address

Description:
------------
In file ext/imap/php_imap.c line 3685:
        if ((len = _php_imap_address_size(addresstmp))) {
                tmpstr = (char *) malloc (len); //strings are \0
terminated!

should be:
       if ((len = _php_imap_address_size(addresstmp))) {
                tmpstr = (char *) malloc (len+1); //correct

since C strings are \0 terminated, this bug causes buffer overflow - the
contents of 'addresstmp' variable *sometimes* get ovewrritten, this
results in an incorrect value of 'str' passed to add_property_string_ex
(as seen in a provided stack trace), whih causes segmentation fault.


Reproduce code:
---------------
It's not easily reproducible but it seems to be quite obvious.

Actual result:
--------------
(ladebug) where
>0  0x3ff800d67d0 in strlen(...) in /usr/shlib/libc.so
#1  0x300000c54a0 in add_property_string_ex(arg=0x140289b18,
key=0x30040218160="personal", key_len=9, str=0x403130303530334c=(null),
duplicate=1) "zend_API.c":980
#2  0x3000010feb0 in _php_imap_parse_address(addresslist=0x1402bf2c0,
fulladdress=0x11ffe6a60, paddress=0x14020e118) "php_imap.c":3642
#3  0x300001103a8 in _php_make_header_object(myzvalue=0x140245918,
en=0x1402d0c40) "php_imap.c":3674
#4  0x30000101758 in zif_imap_headerinfo(ht=2, return_value=0x140245918,
this_ptr=0x0, return_value_used=1) "php_imap.c":1639
#5  0x300000afa60 in execute(op_array=0x1401ccc18)
"./zend_execute.c":1598
#6  0x300038094c8


-- 
Edit bug report at http://bugs.php.net/?id=28963&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=28963&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=28963&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=28963&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=28963&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=28963&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=28963&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=28963&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=28963&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=28963&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=28963&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=28963&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=28963&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28963&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=28963&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=28963&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=28963&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=28963&r=float

Reply via email to