ID: 20763 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Feedback +Status: Closed Bug Type: IMAP related Operating System: RH Linux 7.3 PHP Version: 4.2.3 New Comment:
This bug has been fixed in CVS. In case this was a PHP problem, snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. In case this was a documentation problem, the fix will show up soon at http://www.php.net/manual/. In case this was a PHP.net website problem, the change will show up on the PHP.net site and on the mirror sites in short time. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2002-12-02 09:21:48] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-latest.zip I do believe this was recently delt with.... ------------------------------------------------------------------------ [2002-12-02 09:17:23] [EMAIL PROTECTED] Hi, I found two bugs on the imap handling functions in PHP 4.2.3: - If a message contains a header with empty contents (like Reply-to: <> or Sender: <>), the web server running php crashes whenever a script tries to parse this message. I ran Apache 1.3.26 compiled agains ElectricFence and found out that the bug is on _php_make_header_object: if thethe header contents are empty, _php_imap_parse_address won't allocate memory for fulladdress, but the function will call free() on fulladdress nevertheless.This leads to heap corruption and subsequent segmentation fault. - It seems like _php_imap_address_size doesn't compute the header size correctly. If the number of addresses in a field is very large, this leads to a buffer overflow in c-client's rfc822_address. My setup is: Apache 1.3.26 PHP 4.2.3 compiled as a DSO with the following options: /configure --prefix=/data/www/consumer/conf --enable-track-vars --with-imap=/usr/local/app/imap-2002 --with-ldap=/usr/local/app/openldap --with-oracle=/usr/local/app/oracle_client --with-oci8=/usr/local/app/oracle_client --with-apxs=/data/www/consumer/bin/apxs --with-msession=/usr/local/app/phoenix --with-mysql --with-openssl=/usr/local/app/openssl --with-xml --with-curl=/usr/local/app/curl Test messages: - For the first bug: any message with a header field with empty contents (like Sender: <> ) - For the second bug: any message with a large(In my test there were 500) number of recipients on the To: or Cc: fields. Backtrace for the first bug: 0x4009fa01 in __kill () at __kill:-1 #1 0x0809a69d in EF_Abort (pattern=0x80aa540 "free(%a): address not from malloc().") at print.c:137 #2 0x08099f2a in free (address=0x4eacabcc) at efence.c:632 #3 0x404cc5b3 in _php_make_header_object (myzvalue=0x4ec6ffec, en=0x4ee32fbc) at php_imap.c:3724 #4 0x404c186b in zif_imap_headerinfo (ht=2, return_value=0x4ec6ffec, this_ptr=0x0, return_value_used=1) at php_imap.c:1631 #5 0x40482e39 in execute (op_array=0x463affa4) at ./zend_execute.c:1598 #6 0x40493b2c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:812 #7 0x404a63b6 in php_execute_script (primary_file=0xbffff6b0) at main.c:1383 #8 0x404a0dbe in apache_php_module_main (r=0x445b9028, display_source_mode=0) at sapi_apache.c:90 #9 0x404a1c2c in send_php (r=0x445b9028, display_source_mode=0, filename=0x445bacc8 "/data/www/consumer/htdocs/memail/mailbox.php3") at mod_php4.c:575 #10 0x404a1c99 in send_parsed_php (r=0x445b9028) at mod_php4.c:590 #11 0x08055287 in ap_invoke_handler () #12 0x0806a307 in process_request_internal () #13 0x0806a368 in ap_process_request () #14 0x08061289 in child_main () #15 0x08061458 in make_child () #16 0x080615cc in startup_children () #17 0x08061c44 in standalone_main () #18 0x080624c3 in main () #19 0x4008d507 in __libc_start_main (main=0x8062100 <main>, argc=2, ubp_av=0xbffffae4, init=0x804f718 <_init>, fini=0x809a8f0 <_fini>, rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffffadc) at ../sysdeps/generic/libc-start.c:129 Backtrace for the second bug: #0 0x400f68f7 in strcat () at strcat:-1 #1 0x4f5e7fe8 in ?? () #2 0x405b74b9 in rfc822_write_address_full ( dest=0x4faa36a8 "\"[EMAIL PROTECTED]\" <[EMAIL PROTECTED]>, \"[EMAIL PROTECTED]\" <[EMAIL PROTECTED]>, \"[EMAIL PROTECTED]\" <[EMAIL PROTECTED]>, \"[EMAIL PROTECTED]\" <agre"..., adr=0x4eea7fe8, base=0x0) at rfc822.c:193 #3 0x404cbce6 in _php_imap_parse_address (addresslist=0x4eea7fe8, fulladdress=0xbfff472c, paddress=0x4f6eafec) at php_imap.c:3626 #4 0x404cc173 in _php_make_header_object (myzvalue=0x4f6adfec, en=0x4eba5fbc) at php_imap.c:3667 #5 0x404c186b in zif_imap_headerinfo (ht=2, return_value=0x4f6adfec, this_ptr=0x0, return_value_used=1) at php_imap.c:1631 #6 0x40482e39 in execute (op_array=0x446b1fa4) at ./zend_execute.c:1598 #7 0x40493b2c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:812 #8 0x404a63b6 in php_execute_script (primary_file=0xbffff6d0) at main.c:1383 #9 0x404a0dbe in apache_php_module_main (r=0x445b9028, display_source_mode=0) at sapi_apache.c:90 #10 0x404a1c2c in send_php (r=0x445b9028, display_source_mode=0, filename=0x445bace8 "/data/www/consumer/htdocs/memail/mailbox.php3") at mod_php4.c:575 #11 0x404a1c99 in send_parsed_php (r=0x445b9028) at mod_php4.c:590 #12 0x08055287 in ap_invoke_handler () #13 0x0806a307 in process_request_internal () #14 0x0806a368 in ap_process_request () #15 0x08061289 in child_main () #16 0x08061458 in make_child () #17 0x080615cc in startup_children () #18 0x08061c44 in standalone_main () #19 0x080624c3 in main () #20 0x4008d507 in __libc_start_main (main=0x8062100 <main>, argc=2, ubp_av=0xbffffb04, init=0x804f718 <_init>, fini=0x809a8f0 <_fini>, rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffffafc) at ../sysdeps/generic/libc-start.c:129 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=20763&edit=1
