[Full-disclosure] PHP: Calendar Buffer Overflow
Martin Pitt
martin.pitt at canonical.com
Tue Jun 28 09:02:28 BST 2005
Hi!
FistFucker [2005-06-27 7:02 +0200]:
>There are some nice sprintf()'s in "\ext\calendar\calendar.c":
>'sprintf(date, "%i/%i/%i", month, day, year);'
>
>Example exploitation (4.3.11):
>
>
><?php
>
> JDToGregorian(999999999);
>
>?>
Interesting that this works on Windows. I took a look at the code:
PHP_FUNCTION(jdtogregorian)
{
pval **julday;
int year, month, day;
char date[10];
[...]
sprintf(date, "%i/%i/%i", month, day, year);
RETURN_STRING(date, 1);
}
The biggest string length I could get is 15 characters. That would
merely overflow into the "year, month, day" integers, but not even
close to the function's return address.
Of course that is a bug that should be fixed in CVS head, but I think
it's not exploitable, so it does not require a security update as far
as I can see.
Thanks for the report,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050628/676c77e7/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.