Hi!
FistFucker [2005-06-27 7:02 +0200]:
>There are some nice sprintf()'s in "\ext\calendar\calendar.c":
>'sprintf(date, "%i/%i/%i", month, day, year);'
>
>Example exploitation (4.3.11):
>
>
><?php
>
> JDToGregorian(999999999);
>
>?>
Interesting that this works on Windows. I took a look at the code:
PHP_FUNCTION(jdtogregorian)
{
pval **julday;
int year, month, day;
char date[10];
[...]
sprintf(date, "%i/%i/%i", month, day, year);
RETURN_STRING(date, 1);
}
The biggest string length I could get is 15 characters. That would
merely overflow into the "year, month, day" integers, but not even
close to the function's return address.
Of course that is a bug that should be fixed in CVS head, but I think
it's not exploitable, so it does not require a security update as far
as I can see.
Thanks for the report,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/