archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-20 09:24:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

MFB: Fixed buffer boundary protection

Browse source
This commit is contained in:
Ilia Alshanetsky 2006-12-24 22:15:18 +00:00
parent 59b437aff8
commit 6fa038ae50
1 changed files with 13 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

19
ext/imap/php_imap.c
View file

@ -2946,7 +2946,7 @@ PHP_FUNCTION(imap_mail_compose)
BODY *bod=NULL, *topbod=NULL;
PART *mypart=NULL, *part;
PARAMETER *param, *disp_param = NULL, *custom_headers_param = NULL, *tmp_param = NULL;
char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL;
char tmp[SENDBUFLEN + 1], *mystring=NULL, *t=NULL, *tempstring=NULL;
int toppart = 0;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &envelope, &body) == FAILURE) {
@ -3297,6 +3297,10 @@ PHP_FUNCTION(imap_mail_compose)
/* yucky default */
if (!cookie) {
cookie = "-";
} else if (strlen(cookie) > (sizeof(tmp) - 2 - 2)) { /* validate cookie length -- + CRLF */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "The boudary should be no longer then 4kb");
RETVAL_FALSE;
goto done;
}
/* for each part */
@ -3312,28 +3316,23 @@ PHP_FUNCTION(imap_mail_compose)
strcat(t, CRLF);
/* output cookie, mini-header, and contents */
tempstring=emalloc(strlen(mystring)+strlen(tmp)+1);
sprintf(tempstring, "%s%s", mystring, tmp);
spprintf(&tempstring, 0, "%s%s", mystring, tmp);
efree(mystring);
mystring=tempstring;
bod=&part->body;
tempstring=emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1);
sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF);
spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF);
efree(mystring);
mystring=tempstring;
} while ((part = part->next)); /* until done */
/* output trailing cookie */
sprintf(tmp, "--%s--", cookie);
tempstring=emalloc(strlen(tmp)+strlen(CRLF)+strlen(mystring)+1);
sprintf(tempstring, "%s%s%s", mystring, tmp, CRLF);
spprintf(&tempstring, 0, "%s--%s--%s", mystring, tmp, CRLF);
efree(mystring);
mystring=tempstring;
} else if (bod) {
tempstring = emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1);
sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF);
spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF);
efree(mystring);
mystring=tempstring;
} else {