Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:rkwasny
php
php-5.1.2-CVE-2007-0906-imap.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-5.1.2-CVE-2007-0906-imap.patch of Package php
--- ext/imap/php_imap.c +++ ext/imap/php_imap.c @@ -62,6 +62,9 @@ #define CRLF_LEN sizeof("\015\012") - 1 #define PHP_EXPUNGE 32768 #define PHP_IMAP_ADDRESS_SIZE_BUF 10 +#ifndef SENDBUFLEN +#define SENDBUFLEN 16385 +#endif static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC); static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); @@ -1152,13 +1155,13 @@ if ((i = cache->user_flags)) { strcat(tmp, "{"); while (i) { - strcat(tmp, imap_le_struct->imap_stream->user_flags[find_rightmost_bit (&i)]); - if (i) strcat(tmp, " "); + strlcat(tmp, imap_le_struct->imap_stream->user_flags[find_rightmost_bit (&i)], sizeof(tmp)); + if (i) strlcat(tmp, " ", sizeof(tmp)); } - strcat(tmp, "} "); + strlcat(tmp, "} ", sizeof(tmp)); } mail_fetchsubject(t = tmp + strlen(tmp), imap_le_struct->imap_stream, msgno, (long)25); - sprintf(t += strlen(t), " (%ld chars)", cache->rfc822_size); + snprintf(t += strlen(t), sizeof(tmp) - strlen(tmp), " (%ld chars)", cache->rfc822_size); add_next_index_string(return_value, tmp, 1); } } @@ -2915,7 +2918,7 @@ BODY *bod=NULL, *topbod=NULL; PART *mypart=NULL, *part; PARAMETER *param, *disp_param = NULL, *custom_headers_param = NULL, *tmp_param = NULL; - char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL; + char tmp[SENDBUFLEN + 1], *mystring=NULL, *t=NULL, *tempstring=NULL; int toppart = 0; if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &envelope, &body) == FAILURE) { @@ -3216,8 +3219,8 @@ goto done; } - rfc822_encode_body_7bit(env, topbod); - rfc822_header (tmp, env, topbod); + rfc822_encode_body_7bit(env, topbod); + rfc822_header(tmp, env, topbod); /* add custom envelope headers */ if (custom_headers_param) { @@ -3266,43 +3269,42 @@ /* yucky default */ if (!cookie) { cookie = "-"; + } else if (strlen(cookie) > (sizeof(tmp) - 2 - 2)) { /* validate cookie length -- + CRLF */ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The boudary should be no longer then 4kb"); + RETVAL_FALSE; + goto done; } /* for each part */ do { t=tmp; /* build cookie */ - sprintf (t, "--%s%s", cookie, CRLF); + sprintf(t, "--%s%s", cookie, CRLF); /* append mini-header */ rfc822_write_body_header(&t, &part->body); /* write terminating blank line */ - strcat (t, CRLF); + strcat(t, CRLF); /* output cookie, mini-header, and contents */ - tempstring=emalloc(strlen(mystring)+strlen(tmp)+1); - sprintf(tempstring, "%s%s", mystring, tmp); + spprintf(&tempstring, 0, "%s%s", mystring, tmp); efree(mystring); mystring=tempstring; bod=&part->body; - tempstring=emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1); - sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF); + spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF); efree(mystring); mystring=tempstring; } while ((part = part->next)); /* until done */ /* output trailing cookie */ - sprintf(tmp, "--%s--", cookie); - tempstring=emalloc(strlen(tmp)+strlen(CRLF)+strlen(mystring)+1); - sprintf(tempstring, "%s%s%s", mystring, tmp, CRLF); + spprintf(&tempstring, 0, "%s--%s--%s", mystring, tmp, CRLF); efree(mystring); mystring=tempstring; } else if (bod) { - tempstring = emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1); - sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF); + spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF); efree(mystring); mystring=tempstring; } else { @@ -3350,14 +3352,14 @@ #define PHP_IMAP_CLEAN if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader); #define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION); - bufferHeader = (char *)emalloc(bufferLen); + bufferHeader = (char *)emalloc(bufferLen + 1); memset(bufferHeader, 0, bufferLen); if (to && *to) { - strcat(bufferHeader, "To: "); - strcat(bufferHeader, to); - strcat(bufferHeader, "\r\n"); + strlcat(bufferHeader, "To: ", bufferLen + 1); + strlcat(bufferHeader, to, bufferLen + 1); + strlcat(bufferHeader, "\r\n", bufferLen + 1); tempMailTo = estrdup(to); - bufferTo = (char *)emalloc(strlen(to)); + bufferTo = (char *)emalloc(strlen(to) + 1); offset = 0; addr = NULL; rfc822_parse_adrlist(&addr, tempMailTo, NULL); @@ -3376,11 +3378,11 @@ } if (cc && *cc) { - strcat(bufferHeader, "Cc: "); - strcat(bufferHeader, cc); - strcat(bufferHeader, "\r\n"); + strlcat(bufferHeader, "Cc: ", bufferLen + 1); + strlcat(bufferHeader, cc, bufferLen + 1); + strlcat(bufferHeader, "\r\n", bufferLen + 1); tempMailTo = estrdup(cc); - bufferCc = (char *)emalloc(strlen(cc)); + bufferCc = (char *)emalloc(strlen(cc) + 1); offset = 0; addr = NULL; rfc822_parse_adrlist(&addr, tempMailTo, NULL); @@ -3400,7 +3402,7 @@ if (bcc && *bcc) { tempMailTo = estrdup(bcc); - bufferBcc = (char *)emalloc(strlen(bcc)); + bufferBcc = (char *)emalloc(strlen(bcc) + 1); offset = 0; addr = NULL; rfc822_parse_adrlist(&addr, tempMailTo, NULL); @@ -3419,7 +3421,7 @@ } if (headers && *headers) { - strcat(bufferHeader, headers); + strlcat(bufferHeader, headers, bufferLen + 1); } if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, bufferHeader, subject, bufferTo, message, bufferCc, bufferBcc, rpath TSRMLS_CC) != SUCCESS) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
