ID: 40600 Updated by: [EMAIL PROTECTED] Reported By: stas at FreeBSD dot org -Status: Open +Status: Bogus Bug Type: POSIX related Operating System: FreeBSD PHP Version: 5.2.1 Assigned To: iliaa New Comment:
buflen check disallows values that are less then 1, so how will you ever allocate a negative value? RETURN_FALSE will terminate the function. Previous Comments: ------------------------------------------------------------------------ [2007-02-25 23:04:42] stas at FreeBSD dot org The bug is still here. ------------------------------------------------------------------------ [2007-02-24 09:03:50] stas at FreeBSD dot org > The current code is fine, we should not hardcode buffer > sizes if they cannot be retrieved, this could lead to > exploitable situations. Also if the return buffer length of > 0 it probably indicates a problem. 1) According to POSIX it's not a problem 2) Besides that one check is missing (take a look at patch), so you're effectively trying to malloc (size_t)-1 bytes on FreeBSD currently, which leads to crash. ------------------------------------------------------------------------ [2007-02-23 23:53:25] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php The current code is fine, we should not hardcode buffer sizes if they cannot be retrieved, this could lead to exploitable situations. Also if the return buffer length of 0 it probably indicates a problem. ------------------------------------------------------------------------ [2007-02-23 14:07:38] [EMAIL PROTECTED] Ilia, please take a look at this, IIRC you added those sysconf() patches. ------------------------------------------------------------------------ [2007-02-23 13:55:02] [EMAIL PROTECTED] >Yeah... According to susv3: Yes, I know that, thanks. But that does not mean "if (buflen < 1)" is incorrect. I don't think that zero buflen is a correct value (and even if it is, it's useless). ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/40600 -- Edit this bug report at http://bugs.php.net/?id=40600&edit=1
