From: [EMAIL PROTECTED]
Operating system: RH Linux 7.3
PHP version: 4.2.3
PHP Bug Type: IMAP related
Bug description: PHP crashes with signal 11 while trying to parse message with
uncommon headers
Hi,
I found two bugs on the imap handling functions in PHP 4.2.3:
- If a message contains a header with empty contents (like Reply-to: <>
or Sender: <>), the web server running php crashes whenever a script tries
to parse this message. I ran Apache 1.3.26 compiled agains ElectricFence
and found out that the bug is on _php_make_header_object: if thethe header
contents are empty, _php_imap_parse_address won't allocate memory for
fulladdress, but the function will call free() on fulladdress
nevertheless.This leads to heap corruption and subsequent segmentation
fault.
- It seems like _php_imap_address_size doesn't compute the header size
correctly. If the number of addresses in a field is very large, this leads
to a buffer overflow in c-client's rfc822_address.
My setup is:
Apache 1.3.26
PHP 4.2.3 compiled as a DSO with the following options:
/configure --prefix=/data/www/consumer/conf --enable-track-vars
--with-imap=/usr/local/app/imap-2002 --with-ldap=/usr/local/app/openldap
--with-oracle=/usr/local/app/oracle_client
--with-oci8=/usr/local/app/oracle_client
--with-apxs=/data/www/consumer/bin/apxs
--with-msession=/usr/local/app/phoenix --with-mysql
--with-openssl=/usr/local/app/openssl --with-xml
--with-curl=/usr/local/app/curl
Test messages:
- For the first bug: any message with a header field with empty
contents (like Sender: <> )
- For the second bug: any message with a large(In my test there were
500) number of recipients on the To: or Cc: fields.
Backtrace for the first bug:
0x4009fa01 in __kill () at __kill:-1
#1 0x0809a69d in EF_Abort (pattern=0x80aa540 "free(%a): address not from
malloc().") at print.c:137
#2 0x08099f2a in free (address=0x4eacabcc) at efence.c:632
#3 0x404cc5b3 in _php_make_header_object (myzvalue=0x4ec6ffec,
en=0x4ee32fbc) at php_imap.c:3724
#4 0x404c186b in zif_imap_headerinfo (ht=2, return_value=0x4ec6ffec,
this_ptr=0x0, return_value_used=1) at php_imap.c:1631
#5 0x40482e39 in execute (op_array=0x463affa4) at ./zend_execute.c:1598
#6 0x40493b2c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at zend.c:812
#7 0x404a63b6 in php_execute_script (primary_file=0xbffff6b0) at
main.c:1383
#8 0x404a0dbe in apache_php_module_main (r=0x445b9028,
display_source_mode=0) at sapi_apache.c:90
#9 0x404a1c2c in send_php (r=0x445b9028, display_source_mode=0,
filename=0x445bacc8 "/data/www/consumer/htdocs/memail/mailbox.php3")
at mod_php4.c:575
#10 0x404a1c99 in send_parsed_php (r=0x445b9028) at mod_php4.c:590
#11 0x08055287 in ap_invoke_handler ()
#12 0x0806a307 in process_request_internal ()
#13 0x0806a368 in ap_process_request ()
#14 0x08061289 in child_main ()
#15 0x08061458 in make_child ()
#16 0x080615cc in startup_children ()
#17 0x08061c44 in standalone_main ()
#18 0x080624c3 in main ()
#19 0x4008d507 in __libc_start_main (main=0x8062100 <main>, argc=2,
ubp_av=0xbffffae4, init=0x804f718 <_init>,
fini=0x809a8f0 <_fini>, rtld_fini=0x4000dc14 <_dl_fini>,
stack_end=0xbffffadc) at ../sysdeps/generic/libc-start.c:129
Backtrace for the second bug:
#0 0x400f68f7 in strcat () at strcat:-1
#1 0x4f5e7fe8 in ?? ()
#2 0x405b74b9 in rfc822_write_address_full (
dest=0x4faa36a8 "\"[EMAIL PROTECTED]\" <[EMAIL PROTECTED]>,
\"[EMAIL PROTECTED]\" <[EMAIL PROTECTED]>,
\"[EMAIL PROTECTED]\" <[EMAIL PROTECTED]>,
\"[EMAIL PROTECTED]\" <agre"...,
adr=0x4eea7fe8, base=0x0) at rfc822.c:193
#3 0x404cbce6 in _php_imap_parse_address (addresslist=0x4eea7fe8,
fulladdress=0xbfff472c, paddress=0x4f6eafec)
at php_imap.c:3626
#4 0x404cc173 in _php_make_header_object (myzvalue=0x4f6adfec,
en=0x4eba5fbc) at php_imap.c:3667
#5 0x404c186b in zif_imap_headerinfo (ht=2, return_value=0x4f6adfec,
this_ptr=0x0, return_value_used=1) at php_imap.c:1631
#6 0x40482e39 in execute (op_array=0x446b1fa4) at ./zend_execute.c:1598
#7 0x40493b2c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at zend.c:812
#8 0x404a63b6 in php_execute_script (primary_file=0xbffff6d0) at
main.c:1383
#9 0x404a0dbe in apache_php_module_main (r=0x445b9028,
display_source_mode=0) at sapi_apache.c:90
#10 0x404a1c2c in send_php (r=0x445b9028, display_source_mode=0,
filename=0x445bace8 "/data/www/consumer/htdocs/memail/mailbox.php3")
at mod_php4.c:575
#11 0x404a1c99 in send_parsed_php (r=0x445b9028) at mod_php4.c:590
#12 0x08055287 in ap_invoke_handler ()
#13 0x0806a307 in process_request_internal ()
#14 0x0806a368 in ap_process_request ()
#15 0x08061289 in child_main ()
#16 0x08061458 in make_child ()
#17 0x080615cc in startup_children ()
#18 0x08061c44 in standalone_main ()
#19 0x080624c3 in main ()
#20 0x4008d507 in __libc_start_main (main=0x8062100 <main>, argc=2,
ubp_av=0xbffffb04, init=0x804f718 <_init>,
fini=0x809a8f0 <_fini>, rtld_fini=0x4000dc14 <_dl_fini>,
stack_end=0xbffffafc) at ../sysdeps/generic/libc-start.c:129
--
Edit bug report at http://bugs.php.net/?id=20763&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=20763&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=20763&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=20763&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=20763&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=20763&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=20763&r=support
Expected behavior: http://bugs.php.net/fix.php?id=20763&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=20763&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=20763&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=20763&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20763&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=20763&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=20763&r=isapi
