That's bizarre. The code checks for that, and rejects a literal size greater
than 0x7ffffffe. The check works on every system that I've tried. Whatever
compiler built it on your system must be generating a signed comparison.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
Date: Fri, 8 Aug 2008 13:58:46 -0400
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [email protected]
Subject: Re: [Imap-uw] Crash fetching an empty text part
Thanks for the reply. strtoul() is returning 4294967295 in this case.
The max value, I guess, instead of the min. Thanks again.
Mark Crispin wrote:
It's a bug in the IMAP server. It is sending a literal (a type of string)
with
a size count of -1. The size count for a literal is an unsigned, non-zero,
32-bit value.
I wonder what strtoul() does in this case. I would have expected it to
return a 0.
I have added defensive code for this case in Panda IMAP; but the real fix is
going to be to the IMAP server. You ought to report this bug to Zimbra
and the Cyrus people.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
Date: Fri, 8 Aug 2008 13:24:27 -0400
From: [EMAIL PROTECTED]
To: [email protected]
Subject: [Imap-uw] Crash fetching an empty text part
Hello,
I've got a php app using the php-imap extension and a segmentation fault
occurs during a call to imap_fetchbody on a specific message and
section. I've attached an example email message that causes my crash. It
seems a multipart/mixed message that contains a text part with no text
will crash when I attempt to fetch the empty part. I tried a message
that wasn't multipart and contained only a single empty text part and no
crash occurred.
Debugging, I see the crash occurs in memcpy called from c-client. I
believe that the problem is in the imap_parse_string function. The crash
scenario calls imap_parse_string with the value "{-1}" in the txtptr
parameter. Later in the function the "-1" is extracted and passed to
strtoul which understandably isn't terribly happy about bing asked to
make a negative number unsigned. The crazy value returned from strtoul
is passed down to the memcpy which crashes.
At this point I am a bit stumped. I'm not sure where that "-1" is coming
from, though I suspect it could be from the imap server. We're using
Zimbra which uses cyrus (2.1.22.3) for imap. The php app is running on
Fedora 9 using php 5.2.6-2 and libc-client-2007b-1 both installed by rpm.
If there's any help or advice anyone can offer I would appreciate it.
Let me know if you need any more info. Thanks!
_________________________________________________________________
Your PC, mobile phone, and online services work together like never before.
http://clk.atdmt.com/MRT/go/108587394/direct/01/
_________________________________________________________________
Reveal your inner athlete and share it with friends on Windows Live.
http://revealyourinnerathlete.windowslive.com?locale=en-us&ocid=TXT_TAGLM_WLYIA_whichathlete_us_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw
