security fixes

PHP supports multipart/form-data POST requests (as described in RFC1867)
known as POST fileuploads. Unfourtunately there are several flaws in the
php_mime_split function that could be used by an attacker to execute
arbitrary code.
- broken boundary check
- arbitrary heap overflow
--
Ok'd by: maintainer

www/php3/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.41 2001/11/19 01:38:58 brad Exp $
+# $OpenBSD: Makefile,v 1.42 2002/02/27 16:31:59 brad Exp $
 
 COMMENT=	"server-side HTML-embedded scripting language"
 
@@ -6,10 +6,11 @@ COMMENT=	"server-side HTML-embedded scripting language"
 # and has Apache that supports DSO's.
 ONLY_FOR_ARCHS=	i386 m68k sparc
 
-DISTNAME=	php-3.0.18
+VERSION=	3.0.18
-PKGNAME=	php3-3.0.18
+DISTNAME=	php-${VERSION}
+PKGNAME=	php3-${VERSION}p2
 CATEGORIES=	www lang
-NEED_VERSION=	1.489
+NEED_VERSION=	1.500
 
 HOMEPAGE=	http://www.php.net/
 

www/php3/patches/patch-functions_mime_c

@@ -0,0 +1,24 @@
+$OpenBSD: patch-functions_mime_c,v 1.1 2002/02/27 16:31:59 brad Exp $
+--- functions/mime.c.orig	Mon Oct 16 21:30:59 2000
++++ functions/mime.c	Wed Feb 27 10:12:11 2002
+@@ -85,7 +85,9 @@ void php3_mime_split(char *buf, int cnt,
+ 					SAFE_RETURN;
+ 				}
+ 				loc = memchr(ptr, '\n', rem);
++				rem -= loc - ptr;
+ 				name = strstr(ptr, " name=");
++				ptr = loc;
+ 				if (name && name < loc) {
+ 					name += 6;
+ 					s = memchr(name, '\"', loc - name);
+@@ -138,6 +140,10 @@ void php3_mime_split(char *buf, int cnt,
+ 						sprintf(lbuf, "%s_name[]", abuf);
+ 						sbuf=estrdup(abuf);
+ 					} else {
++						if (abuf) {
++							efree(abuf);
++							abuf = NULL;
++						}
+ 						sprintf(lbuf, "%s_name", namebuf);
+ 						sbuf=estrdup(namebuf);
+ 					}