From: [EMAIL PROTECTED] Operating system: Windows XP PHP version: 5.2CVS-2008-04-07 (snap) PHP Bug Type: Reproducible crash Bug description: Crash in imap_mail_compose if "body" parameter invalid
Description: ------------ If imap_mail_compose is called with a "body" parameter which is NOT an indexed array of body parts where each body part is itself an associative array (as per php.net manual description here: (http://uk2.php.net/manual/en/function.imap-mail-compose.php) then a crash can occur. I would expect the code to detect that the passed "body" array is invalid and return FALSE with a warning message; instead we crash around line 3156 Although the code verifies that the first body part is itself an array without problems, if it's not an array then it's ignored. This then leads to a crash because the variable "bod" is not initialized when processing the first body part. We then crash when processing the 2nd body part in the following code: if (!toppart) { bod->nested.part = mail_newbody_part(); <<< CRASH HERE as "bod" is NULL mypart = bod->nested.part; toppart = 1; } else { mypart->next = mail_newbody_part(); mypart = mypart->next; } I believe the code should detect when a body part is not an array and report an error rather than just skipping over the body part. The check at line 3049 which checks that the body part is an array needs to report an error if it isn't, i.e change code as follows: if (Z_TYPE_PP(data) != IS_ARRAY) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "body part parameter must be an array"); RETURN_FALSE; } else { bod = mail_newbody(); topbod = bod; .. etc I'm also not sure about the check at around line 3148; skipping over body parts here which are not arrays will not result in a crash but code should probably report a similar error anyway. Reproduce code: --------------- <?php $envelope["from"]= "[EMAIL PROTECTED]"; $envelope["to"] = "[EMAIL PROTECTED]"; $envelope["subject"] = "Test msg 1"; $part2["type"] = TYPETEXT; $part2["subtype"] = "plain"; $part2["description"] = "imap_mail_compose() function"; $part2["contents.data"] = "Crash in imap_mail_compose if first element of bofy array not an array"; $body[1] = NULL; $body[2] = $part2; var_dump(imap_mail_compose($envelope, $body)); ?> Expected result: ---------------- FALSE return with warning msg. Actual result: -------------- Exception at around line 3156 -- Edit bug report at http://bugs.php.net/?id=44663&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=44663&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=44663&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=44663&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=44663&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=44663&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=44663&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=44663&r=needscript Try newer version: http://bugs.php.net/fix.php?id=44663&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=44663&r=support Expected behavior: http://bugs.php.net/fix.php?id=44663&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=44663&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=44663&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=44663&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44663&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=44663&r=dst IIS Stability: http://bugs.php.net/fix.php?id=44663&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=44663&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=44663&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=44663&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=44663&r=mysqlcfg
