ID: 3812 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Closed Bug Type: Reproducible Crash Operating System: Linux Redhat 5.2, 2.0.36, glibc2 PHP Version: 3.0.15 New Comment:
this is ok in php 4.2.3 code Previous Comments: ------------------------------------------------------------------------ [2000-03-12 08:06:24] [EMAIL PROTECTED] The urlencode function is not binary safe. It retrieves the length of the string to encode as a parameter, then uses strlen to allocate the new buffer. Strlen returns wrong length for the bin-string. After that, the len-parameter is used to fill the buffer => a buffer-overwrite occurs. php 4 beta 4 pl1: change line 241 from str = (unsigned char *) emalloc(3 * strlen(s) + 1); to str = (unsigned char *) emalloc(3 * len + 1); php 3.15 change line 242 from str = (unsigned char *) emalloc(3 * strlen(s) + 1); to str = (unsigned char *) emalloc(3 * len + 1); ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=3812&edit=1