ID: 44613 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Closed Bug Type: Reproducible crash Operating System: Windows XP PHP Version: 5.2CVS-2008-04-02 (snap) New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2008-04-02 15:20:54] [EMAIL PROTECTED] Description: ------------ The crash in this case is due to lack of a sanity check on "fromlength" argument passed to imap_headerinfo(). In the php_imap.c code we have: PHP_FUNCTION(imap_headerinfo) { zval **streamind, **msgno, **fromlength, **subjectlength, **defaulthost; pils *imap_le_struct; MESSAGECACHE *cache; ENVELOPE *en; char dummy[2000], fulladdress[MAILTMPLEN]; were MAILTMPLEN is defined in mail.h as 1024. So stack space is allocated for a buffer of 1024 bytes to receive the "from" details which is retrieved by the following code: mail_fetchfrom(fulladdress, imap_le_struct->imap_stream, Z_LVAL_PP(msgno), Z_LVAL_PP(fromlength)); mail_fetchfrom uses the "fromlength" supplied on the imap_headerinfo() call to clear out part of the "fulladdress" buffer to spaces before copying the "from" string into it. If the specified fromlength is greater than 1024 bytes (MAILTMPLEN) then storage over-writes will occur and data corruption or crashes will result. The php_imap.c code needs to be changed to add a simple sanity check on the input argument. Something along the following lines. if (myargc >= 3) { convert_to_long_ex(fromlength); if (Z_LVAL_PP(fromlength) < 0 ) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length has to be greater than or equal to 0"); RETURN_FALSE; } ---- start of new code ------- if (Z_LVAL_PP(fromlength) > MAILTMPLEN ) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length must be less than or equal to %i bytes", MAILTMPLEN); RETURN_FALSE; } ---- end of new code ----- } else { fromlength = 0x00; } A similar check is also needed for "subjectlength" argument. Reproduce code: --------------- <?php var_dump(imap_headerinfo($imap_stream, $msg_no, 12345, 12345)); ?> Expected result: ---------------- Warning: imap_headerinfo(): From length must be less than or equal to %d bytes bool(false) Actual result: -------------- PHP crash ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=44613&edit=1
