iliaa Sun Dec 24 22:15:18 2006 UTC
Modified files:
/php-src/ext/imap php_imap.c
Log:
MFB: Fixed buffer boundary protection
http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.230&r2=1.231&diff_format=u
Index: php-src/ext/imap/php_imap.c
diff -u php-src/ext/imap/php_imap.c:1.230 php-src/ext/imap/php_imap.c:1.231
--- php-src/ext/imap/php_imap.c:1.230 Sun Dec 17 18:23:10 2006
+++ php-src/ext/imap/php_imap.c Sun Dec 24 22:15:18 2006
@@ -26,7 +26,7 @@
| PHP 4.0 updates: Zeev Suraski <[EMAIL PROTECTED]> |
+----------------------------------------------------------------------+
*/
-/* $Id: php_imap.c,v 1.230 2006/12/17 18:23:10 iliaa Exp $ */
+/* $Id: php_imap.c,v 1.231 2006/12/24 22:15:18 iliaa Exp $ */
#define IMAP41
@@ -2946,7 +2946,7 @@
BODY *bod=NULL, *topbod=NULL;
PART *mypart=NULL, *part;
PARAMETER *param, *disp_param = NULL, *custom_headers_param = NULL,
*tmp_param = NULL;
- char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL;
+ char tmp[SENDBUFLEN + 1], *mystring=NULL, *t=NULL, *tempstring=NULL;
int toppart = 0;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &envelope, &body)
== FAILURE) {
@@ -3247,8 +3247,8 @@
goto done;
}
- rfc822_encode_body_7bit(env, topbod);
- rfc822_header (tmp, env, topbod);
+ rfc822_encode_body_7bit(env, topbod);
+ rfc822_header(tmp, env, topbod);
/* add custom envelope headers */
if (custom_headers_param) {
@@ -3297,43 +3297,42 @@
/* yucky default */
if (!cookie) {
cookie = "-";
+ } else if (strlen(cookie) > (sizeof(tmp) - 2 - 2)) {
/* validate cookie length -- + CRLF */
+ php_error_docref(NULL TSRMLS_CC, E_WARNING,
"The boudary should be no longer then 4kb");
+ RETVAL_FALSE;
+ goto done;
}
/* for each part */
do {
t=tmp;
/* build cookie */
- sprintf (t, "--%s%s", cookie, CRLF);
+ sprintf(t, "--%s%s", cookie, CRLF);
/* append mini-header */
rfc822_write_body_header(&t, &part->body);
/* write terminating blank line */
- strcat (t, CRLF);
+ strcat(t, CRLF);
/* output cookie, mini-header, and contents */
-
tempstring=emalloc(strlen(mystring)+strlen(tmp)+1);
- sprintf(tempstring, "%s%s", mystring, tmp);
+ spprintf(&tempstring, 0, "%s%s", mystring, tmp);
efree(mystring);
mystring=tempstring;
bod=&part->body;
-
tempstring=emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1);
- sprintf(tempstring, "%s%s%s", mystring,
bod->contents.text.data, CRLF);
+ spprintf(&tempstring, 0, "%s%s%s", mystring,
bod->contents.text.data, CRLF);
efree(mystring);
mystring=tempstring;
} while ((part = part->next)); /* until done */
/* output trailing cookie */
- sprintf(tmp, "--%s--", cookie);
-
tempstring=emalloc(strlen(tmp)+strlen(CRLF)+strlen(mystring)+1);
- sprintf(tempstring, "%s%s%s", mystring, tmp, CRLF);
+ spprintf(&tempstring, 0, "%s--%s--%s", mystring, tmp,
CRLF);
efree(mystring);
mystring=tempstring;
} else if (bod) {
- tempstring =
emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1);
- sprintf(tempstring, "%s%s%s", mystring,
bod->contents.text.data, CRLF);
+ spprintf(&tempstring, 0, "%s%s%s", mystring,
bod->contents.text.data, CRLF);
efree(mystring);
mystring=tempstring;
} else {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
