ID: 44663 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Assigned Bug Type: Reproducible crash Operating System: Windows XP PHP Version: 5.2CVS-2008-04-07 (snap) -Assigned To: +Assigned To: iliaa
Previous Comments: ------------------------------------------------------------------------ [2008-04-07 14:53:57] [EMAIL PROTECTED] Description: ------------ If imap_mail_compose is called with a "body" parameter which is NOT an indexed array of body parts where each body part is itself an associative array (as per php.net manual description here: (http://uk2.php.net/manual/en/function.imap-mail-compose.php) then a crash can occur. I would expect the code to detect that the passed "body" array is invalid and return FALSE with a warning message; instead we crash around line 3156 Although the code verifies that the first body part is itself an array without problems, if it's not an array then it's ignored. This then leads to a crash because the variable "bod" is not initialized when processing the first body part. We then crash when processing the 2nd body part in the following code: if (!toppart) { bod->nested.part = mail_newbody_part(); <<< CRASH HERE as "bod" is NULL mypart = bod->nested.part; toppart = 1; } else { mypart->next = mail_newbody_part(); mypart = mypart->next; } I believe the code should detect when a body part is not an array and report an error rather than just skipping over the body part. The check at line 3049 which checks that the body part is an array needs to report an error if it isn't, i.e change code as follows: if (Z_TYPE_PP(data) != IS_ARRAY) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "body part parameter must be an array"); RETURN_FALSE; } else { bod = mail_newbody(); topbod = bod; .. etc I'm also not sure about the check at around line 3148; skipping over body parts here which are not arrays will not result in a crash but code should probably report a similar error anyway. Reproduce code: --------------- <?php $envelope["from"]= "[EMAIL PROTECTED]"; $envelope["to"] = "[EMAIL PROTECTED]"; $envelope["subject"] = "Test msg 1"; $part2["type"] = TYPETEXT; $part2["subtype"] = "plain"; $part2["description"] = "imap_mail_compose() function"; $part2["contents.data"] = "Crash in imap_mail_compose if first element of bofy array not an array"; $body[1] = NULL; $body[2] = $part2; var_dump(imap_mail_compose($envelope, $body)); ?> Expected result: ---------------- FALSE return with warning msg. Actual result: -------------- Exception at around line 3156 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=44663&edit=1
