diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2006-12-24 22:15:06 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2006-12-24 22:15:06 +0000 |
| commit | c5db57b495e4a3b66e9b9910454cd0945f401e17 (patch) | |
| tree | e29bc9b10923d0548f33e41045f9aaa54e5b5630 /ext/imap/php_imap.c | |
| parent | 4f46c4e90f073ce37ccb5ba806341fee1fc9ed1d (diff) | |
| download | php-git-c5db57b495e4a3b66e9b9910454cd0945f401e17.tar.gz | |
Fixed buffer boundary protection
Diffstat (limited to 'ext/imap/php_imap.c')
| -rw-r--r-- | ext/imap/php_imap.c | 27 |
1 files changed, 13 insertions, 14 deletions
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index c3c1f76c5f..4295250f50 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -2950,7 +2950,7 @@ PHP_FUNCTION(imap_mail_compose) BODY *bod=NULL, *topbod=NULL; PART *mypart=NULL, *part; PARAMETER *param, *disp_param = NULL, *custom_headers_param = NULL, *tmp_param = NULL; - char tmp[8 * MAILTMPLEN], *mystring=NULL, *t=NULL, *tempstring=NULL; + char tmp[SENDBUFLEN + 1], *mystring=NULL, *t=NULL, *tempstring=NULL; int toppart = 0; if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &envelope, &body) == FAILURE) { @@ -3251,8 +3251,8 @@ PHP_FUNCTION(imap_mail_compose) goto done; } - rfc822_encode_body_7bit(env, topbod); - rfc822_header (tmp, env, topbod); + rfc822_encode_body_7bit(env, topbod); + rfc822_header(tmp, env, topbod); /* add custom envelope headers */ if (custom_headers_param) { @@ -3301,43 +3301,42 @@ PHP_FUNCTION(imap_mail_compose) /* yucky default */ if (!cookie) { cookie = "-"; + } else if (strlen(cookie) > (sizeof(tmp) - 2 - 2)) { /* validate cookie length -- + CRLF */ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The boudary should be no longer then 4kb"); + RETVAL_FALSE; + goto done; } /* for each part */ do { t=tmp; /* build cookie */ - sprintf (t, "--%s%s", cookie, CRLF); + sprintf(t, "--%s%s", cookie, CRLF); /* append mini-header */ rfc822_write_body_header(&t, &part->body); /* write terminating blank line */ - strcat (t, CRLF); + strcat(t, CRLF); /* output cookie, mini-header, and contents */ - tempstring=emalloc(strlen(mystring)+strlen(tmp)+1); - sprintf(tempstring, "%s%s", mystring, tmp); + spprintf(&tempstring, 0, "%s%s", mystring, tmp); efree(mystring); mystring=tempstring; bod=&part->body; - tempstring=emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1); - sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF); + spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF); efree(mystring); mystring=tempstring; } while ((part = part->next)); /* until done */ /* output trailing cookie */ - sprintf(tmp, "--%s--", cookie); - tempstring=emalloc(strlen(tmp)+strlen(CRLF)+strlen(mystring)+1); - sprintf(tempstring, "%s%s%s", mystring, tmp, CRLF); + spprintf(&tempstring, 0, "%s--%s--%s", mystring, tmp, CRLF); efree(mystring); mystring=tempstring; } else if (bod) { - tempstring = emalloc(strlen(bod->contents.text.data)+strlen(CRLF)+strlen(mystring)+1); - sprintf(tempstring, "%s%s%s", mystring, bod->contents.text.data, CRLF); + spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF); efree(mystring); mystring=tempstring; } else { |