Re: [GSA2001-01] PHP IMAP overflow fix problems

[Anil Madhavapeddy <anil () RECOIL ORG>]

Quoting pre <pre () GEEKGANG CO UK>:

> This issue appears to be fixed in the current CVS version of PHP (I
> haven't tested it, just looked at the code).
>
> The gsa2001-01.diff patch against php-4.0.4pl1 reverts the imap module
> to 4.0.3 behavior, without reintroducing the buffer overflow.

Attached is a patch against php-4.0.4pl1 (backported from php-cvs), which cures
the problem without imposing 80-character limits or using static buffers.

Just committed it to the OpenBSD-current port of PHP4.  Thanks max () horde org
for testing under Linux.

--
Anil Madhavapeddy, <anil () recoil org>

--- ext/imap/php_imap.c.orig    Tue Mar  6 09:22:17 2001
+++ ext/imap/php_imap.c Tue Mar  6 09:24:10 2001
@@ -25,7 +25,7 @@
    | PHP 4.0 updates:  Zeev Suraski <zeev () zend com>                       |
    +----------------------------------------------------------------------+
  */
-/* $Id: php_imap.c,v 1.50 2000/10/25 17:43:52 andrei Exp $ */
+/* $Id: php_imap.c,v 1.57 2001/02/21 20:33:46 thies Exp $ */

 #define IMAP41

@@ -183,7 +183,19 @@
 void mail_close_it(zend_rsrc_list_entry *rsrc)
 {
        pils *imap_le_struct = (pils *)rsrc->ptr;
+       IMAPLS_FETCH();
+
        mail_close_full(imap_le_struct->imap_stream, imap_le_struct->flags);
+
+       if (IMAPG(imap_user)) {
+               efree(IMAPG(imap_user));
+               IMAPG(imap_user) = 0;
+       }
+       if (IMAPG(imap_password)) {
+               efree(IMAPG(imap_password));
+               IMAPG(imap_password) = 0;
+       }
+
        efree(imap_le_struct);
 }

@@ -633,6 +645,14 @@
                }
        }

+       if (IMAPG(imap_user)) {
+               efree(IMAPG(imap_user));
+       }
+
+       if (IMAPG(imap_password)) {
+               efree(IMAPG(imap_password));
+       }
+
        IMAPG(imap_user)     = estrndup(Z_STRVAL_PP(user), Z_STRLEN_PP(user));
        IMAPG(imap_password) = estrndup(Z_STRVAL_PP(passwd), Z_STRLEN_PP(passwd));
        
@@ -712,6 +732,8 @@
                                }
                        }
                        efree(hashed_details);
+                       efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+                       efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
                        RETURN_FALSE;
                }

@@ -721,6 +743,8 @@
                        node = malloc(sizeof(pils));
                        if (node == NULL) {
                                efree(hashed_details);
+                               efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+                               efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
                                RETURN_FALSE;
                        }

@@ -757,6 +781,8 @@

                        free(headp);
                        efree(hashed_details);
+                       efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+                       efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
                        RETURN_FALSE;
                }

@@ -766,11 +792,11 @@
        } else {
 #endif
                imap_stream = mail_open(NIL, Z_STRVAL_PP(mailbox), flags);
-               efree(IMAPG(imap_user));
-               efree(IMAPG(imap_password));

                if (imap_stream == NIL) {
                        php_error(E_WARNING, "Couldn't open stream %s\n", (*mailbox)->value.str.val);
+                       efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+                       efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
                        RETURN_FALSE;
                }