From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020205 Description of problem: The patch released by the PHP team earlier does not properly address the problem. loc = (char *) memchr(ptr, '\n', rem)+1 if (!loc) {} won't ever execute the if() block. The code should simply do the first line without the increment, check the value of loc, and then do an increment in an else {} block. Contributed patch attached. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: Look at the code. :) Actual Results: It looks bad. Expected Results: It should have been fixed properly. Additional info: Rasmus at PHP has been contacted, but claims that this fix addresses a rare segfault condition, whereas the original patch fixes the security hole. He says that there are so many other potential segfaults in the code that they don't see a need to fix anything but "urgent security" problems. :)
Unless I'm missing something, there's no patch attached ;-)
Created attachment 47102 [details] 4.0.6 memchr logic fix.
Uh, duh... My mistake. It's attached now. :)
The attached patch is courtesy of Charlie Brady <charlieb>.
This was in fact fixed in the php-4.1.2-7.2.4 erratum.