8 + 20 + 1 + 1 = 30

There was no Bufferoverflow on 64bit systems.

And the "fix" broke the header code on systems with old style snprintf.

diff --git a/main/SAPI.c b/main/SAPI.c
index dedd65c46275c636313f5cda014ea469aa134412..692a52a9198bc5622b5bed4a8f8a397eb7d4bbe0 100644 (file)
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -619,18 +619,14 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
                                                                                                0, &result_len, -1 TSRMLS_CC);
                                                if(result_len==ptr_len) {
                                                        char *lower_temp = estrdup(ptr);        
-                                                       char conv_temp[64];
+                                                       char conv_temp[32];
                                                        int conv_len;
 
                                                        php_strtolower(lower_temp,strlen(lower_temp));
                                                        /* If there is no realm string at all, append one */
                                                        if(!strstr(lower_temp,"realm")) {
                                                                efree(result);
-                                                               conv_len = snprintf(conv_temp, sizeof(conv_temp), " realm=\"%ld\"",myuid);
-                                                               /* some broken snprintf() impls may return a negative value on failure */
-                                                               if (conv_len < 0) {
-                                                                       conv_len = 0;
-                                                               }
+                                                               conv_len = sprintf(conv_temp, sizeof(conv_temp), " realm=\"%ld\"",myuid);
                                                                result = emalloc(ptr_len+conv_len+1);
                                                                result_len = ptr_len+conv_len;
                                                                memcpy(result, ptr, ptr_len);   
@@ -653,7 +649,7 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
 #else
                                {
                                        myuid = php_getuid();
-                                       result = emalloc(32);
+                                       result = emalloc(sizeof("WWW-Authenticate: ")+20);
                                        newlen = sprintf(result, "WWW-Authenticate: %ld", myuid);       
                                        newheader = estrndup(result,newlen);
                                        efree(header_line);