ID: 3812
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Closed
Bug Type: Reproducible Crash
Operating System: Linux Redhat 5.2, 2.0.36, glibc2
PHP Version: 3.0.15
New Comment:
this is ok in php 4.2.3 code
Previous Comments:
------------------------------------------------------------------------
[2000-03-12 08:06:24] [EMAIL PROTECTED]
The urlencode function is not binary safe. It retrieves the length of
the string to encode as a parameter,
then uses strlen to allocate the new buffer. Strlen returns wrong
length for the bin-string.
After that, the len-parameter is used to fill the buffer => a
buffer-overwrite occurs.
php 4 beta 4 pl1:
change line 241 from
str = (unsigned char *) emalloc(3 * strlen(s) + 1);
to
str = (unsigned char *) emalloc(3 * len + 1);
php 3.15
change line 242 from
str = (unsigned char *) emalloc(3 * strlen(s) + 1);
to
str = (unsigned char *) emalloc(3 * len + 1);
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=3812&edit=1
