File php-5.1.2-CVE-2007-0906-imap.patch of Package php
--- ext/imap/php_imap.c
+++ ext/imap/php_imap.c
@@ -62,6 +62,9 @@
#define CRLF_LEN sizeof("\015\012") - 1
#define PHP_EXPUNGE 32768
#define PHP_IMAP_ADDRESS_SIZE_BUF 10
+#ifndef SENDBUFLEN
+#define SENDBUFLEN 16385
+#endif
static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC);
static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC);
@@ -1152,13 +1155,13 @@
if ((i = cache->user_flags)) {
strcat(tmp, "{");
while (i) {
- strcat(tmp, imap_le_struct->imap_stream->user_flags[find_rightmost_bit (&i)]);
- if (i) strcat(tmp, " ");
+ strlcat(tmp, imap_le_struct->imap_stream->user_flags[find_rightmost_bit (&i)], sizeof(tmp));
+ if (i) strlcat(tmp, " ", sizeof(tmp));
}
- strcat(tmp, "} ");
+ strlcat(tmp, "} ", sizeof(tmp));
}
mail_fetchsubject(t = tmp + strlen(tmp), imap_le_struct->imap_stream, msgno, (long)25);
- sprintf(t += strlen(t), " (%ld chars)", cache->rfc822_size);
+ snprintf(t += strlen(t), sizeof(tmp) - strlen(tmp), " (%ld chars)", cache->rfc822_size);
add_next_index_string(return_value, tmp, 1);
}
}
@@ -2915,7 +2918,7 @@
BODY *bod=NULL, *topbod=NULL;
PART *mypart=NULL, *part;
PARAMETER *param, *disp_param = NULL, *custom_headers_param = NULL, *tmp_param = NULL;
- char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL;
+ char tmp[SENDBUFLEN + 1], *mystring=NULL, *t=NULL, *tempstring=NULL;
int toppart = 0;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &envelope, &body) == FAILURE) {
@@ -3216,8 +3219,8 @@
goto done;
}
- rfc822_encode_body_7bit(env, topbod);
- rfc822_header (tmp, env, topbod);
+ rfc822_encode_body_7bit(env, topbod);
+ rfc822_header(tmp, env, topbod);
/* add custom envelope headers */
if (custom_headers_param) {
@@ -3266,43 +3269,42 @@
/* yucky default */
if (!cookie) {
cookie = "-";
+ } else if (strlen(cookie) > (sizeof(tmp) - 2 - 2)) { /* validate cookie length -- + CRLF */
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The boudary should be no longer then 4kb");
+ RETVAL_FALSE;
+ goto done;
}
/* for each part */
do {
t=tmp;
/* build cookie */
- sprintf (t, "--%s%s", cookie, CRLF);
+ sprintf(t, "--%s%s", cookie, CRLF);
/* append mini-header */
rfc822_write_body_header(&t, &part->body);
/* write terminating blank line */
- strcat (t, CRLF);
+ strcat(t, CRLF);
/* output cookie, mini-header, and contents */
- tempstring=emalloc(strlen(mystring)+strlen(tmp)+1);
- sprintf(tempstring, "%s%s", mystring, tmp);
+ spprintf(&tempstring, 0, "%s%s", mystring, tmp);
efree(mystring);
mystring=tempstring;
bod=&part->body;
- tempstring=emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1);
- sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF);
+ spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF);
efree(mystring);
mystring=tempstring;
} while ((part = part->next)); /* until done */
/* output trailing cookie */
- sprintf(tmp, "--%s--", cookie);
- tempstring=emalloc(strlen(tmp)+strlen(CRLF)+strlen(mystring)+1);
- sprintf(tempstring, "%s%s%s", mystring, tmp, CRLF);
+ spprintf(&tempstring, 0, "%s--%s--%s", mystring, tmp, CRLF);
efree(mystring);
mystring=tempstring;
} else if (bod) {
- tempstring = emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1);
- sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF);
+ spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF);
efree(mystring);
mystring=tempstring;
} else {
@@ -3350,14 +3352,14 @@
#define PHP_IMAP_CLEAN if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader);
#define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION);
- bufferHeader = (char *)emalloc(bufferLen);
+ bufferHeader = (char *)emalloc(bufferLen + 1);
memset(bufferHeader, 0, bufferLen);
if (to && *to) {
- strcat(bufferHeader, "To: ");
- strcat(bufferHeader, to);
- strcat(bufferHeader, "\r\n");
+ strlcat(bufferHeader, "To: ", bufferLen + 1);
+ strlcat(bufferHeader, to, bufferLen + 1);
+ strlcat(bufferHeader, "\r\n", bufferLen + 1);
tempMailTo = estrdup(to);
- bufferTo = (char *)emalloc(strlen(to));
+ bufferTo = (char *)emalloc(strlen(to) + 1);
offset = 0;
addr = NULL;
rfc822_parse_adrlist(&addr, tempMailTo, NULL);
@@ -3376,11 +3378,11 @@
}
if (cc && *cc) {
- strcat(bufferHeader, "Cc: ");
- strcat(bufferHeader, cc);
- strcat(bufferHeader, "\r\n");
+ strlcat(bufferHeader, "Cc: ", bufferLen + 1);
+ strlcat(bufferHeader, cc, bufferLen + 1);
+ strlcat(bufferHeader, "\r\n", bufferLen + 1);
tempMailTo = estrdup(cc);
- bufferCc = (char *)emalloc(strlen(cc));
+ bufferCc = (char *)emalloc(strlen(cc) + 1);
offset = 0;
addr = NULL;
rfc822_parse_adrlist(&addr, tempMailTo, NULL);
@@ -3400,7 +3402,7 @@
if (bcc && *bcc) {
tempMailTo = estrdup(bcc);
- bufferBcc = (char *)emalloc(strlen(bcc));
+ bufferBcc = (char *)emalloc(strlen(bcc) + 1);
offset = 0;
addr = NULL;
rfc822_parse_adrlist(&addr, tempMailTo, NULL);
@@ -3419,7 +3421,7 @@
}
if (headers && *headers) {
- strcat(bufferHeader, headers);
+ strlcat(bufferHeader, headers, bufferLen + 1);
}
if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, bufferHeader, subject, bufferTo, message, bufferCc, bufferBcc, rpath TSRMLS_CC) != SUCCESS) {
