Hello,
I've got a php app using the php-imap extension and a segmentation fault
occurs during a call to imap_fetchbody on a specific message and
section. I've attached an example email message that causes my crash. It
seems a multipart/mixed message that contains a text part with no text
will crash when I attempt to fetch the empty part. I tried a message
that wasn't multipart and contained only a single empty text part and no
crash occurred.
Debugging, I see the crash occurs in memcpy called from c-client. I
believe that the problem is in the imap_parse_string function. The crash
scenario calls imap_parse_string with the value "{-1}" in the txtptr
parameter. Later in the function the "-1" is extracted and passed to
strtoul which understandably isn't terribly happy about bing asked to
make a negative number unsigned. The crazy value returned from strtoul
is passed down to the memcpy which crashes.
At this point I am a bit stumped. I'm not sure where that "-1" is coming
from, though I suspect it could be from the imap server. We're using
Zimbra which uses cyrus (2.1.22.3) for imap. The php app is running on
Fedora 9 using php 5.2.6-2 and libc-client-2007b-1 both installed by rpm.
If there's any help or advice anyone can offer I would appreciate it.
Let me know if you need any more info. Thanks!
Date: Thu, 07 Aug 2008 10:47:41 -0400
From: Josh Freed <[EMAIL PROTECTED]>
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Trying to make a crash
Content-Type: multipart/mixed;
boundary="------------070009080906060400030707"
This is a multi-part message in MIME format.
--------------070009080906060400030707
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
--------------070009080906060400030707--
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw
