IMP to read an email causes a crash

dsilvers at pepperfish dot net Tue, 18 Mar 2003 11:34:08 -0800

 ID:               22638
 User updated by:  dsilvers at pepperfish dot net
 Reported By:      dsilvers at pepperfish dot net
-Status:           Feedback
+Status:           Open
 Bug Type:         Reproducible crash
 Operating System: Linux
 PHP Version:      4.3.1
 New Comment:


Right. With the snapshot:

php4-STABLE-200303181830

I get exactly the same outward behaviour (I.E. PHP dies when I read a
message with a 'CC: <>' header in it.

This is the gdb:

Program received signal SIGSEGV, Segmentation fault.
0x402d29d1 in malloc () from /lib/libc.so.6
(gdb) bt
#0  0x402d29d1 in malloc () from /lib/libc.so.6
#1  0x402d2074 in malloc () from /lib/libc.so.6
#2  0x0811debc in _emalloc (size=12)
    at
/home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend_alloc.c:158
#3  0x0813a1dd in execute (op_array=0x8334174)
    at
/home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend_execute.c:1601
#4  0x0813a3b4 in execute (op_array=0x8406dcc)
    at
/home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend_execute.c:1650
#5  0x0812af28 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
    at
/home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend.c:864
#6  0x08108caa in php_execute_script (primary_file=0xbffffe48)
    at
/home/dsilvers/new-webmail/php4-STABLE-200303181830/main/main.c:1647
#7  0x081454b3 in main (argc=1, argv=0xbffffec4)
    at
/home/dsilvers/new-webmail/php4-STABLE-200303181830/sapi/cgi/cgi_main.c:1480

Any ideas?


Previous Comments:
------------------------------------------------------------------------

[2003-03-11 20:44:08] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip


And what part of IMP causes the crash?
Reading it from the imap server?
Processing the mail?



------------------------------------------------------------------------

[2003-03-11 13:49:24] dsilvers at pepperfish dot net

When attempting to view an email from British Airways, Horde/IMP would
cause a reliably reproducable segmentation fault in the zend hash
implementation.

I have worked the minimum-tripping example to:

---CUT
>From [EMAIL PROTECTED] Mon Mar 10 17:23:48 2003
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
CC: <>
Reply-To: <[EMAIL PROTECTED]>
Subject: Crashy email

This email crashes IMP
---CUT

The guys at horde.org say it's a PHP problem and that I should ask you
guys to solve it.

If you could, I'd be very very grateful -- I have several customers
whose email is very affected by this bug.

It appears that the bug is provoked by the adding of the odd CC header
into the hash table of headers maintained by the IMAP code.

Here is a GDB backtrace of it happening in 4.3.1 release:

Program received signal SIGSEGV, Segmentation fault.
0x402d2998 in malloc () from /lib/libc.so.6
(gdb) bt
#0  0x402d2998 in malloc () from /lib/libc.so.6
#1  0x402d2074 in malloc () from /lib/libc.so.6
#2  0x0811d53c in _emalloc (size=53)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_alloc.c:154
#3  0x0812d126 in zend_hash_add_or_update (ht=0x833a004, 
    arKey=0x8159ee6 "mon_thousands_sep", nKeyLength=18,
pData=0xbfff2118, 
    nDataSize=4, pDest=0x0, flag=1)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_hash.c:262
#4  0x0812b61c in add_assoc_string_ex (arg=0x828d864, 
    key=0x8159ee6 "mon_thousands_sep", key_len=18, str=0x404a30c9 ",",

    duplicate=1) at
/home/dsilvers/new-webmail/php-4.3.1/Zend/zend_API.c:673
#5  0x080d953d in zif_localeconv (ht=0, return_value=0x828d864,
this_ptr=0x0, 
    return_value_used=1)
    at /home/dsilvers/new-webmail/php-4.3.1/ext/standard/string.c:3766
#6  0x0813982a in execute (op_array=0x836253c)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1598
#7  0x08139984 in execute (op_array=0x83639a4)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1640
#8  0x08139984 in execute (op_array=0x8362a2c)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1640
#9  0x08139984 in execute (op_array=0x824dcbc)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1640
#10 0x0812a598 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend.c:864
#11 0x081087ef in php_execute_script (primary_file=0xbffffe48)
    at /home/dsilvers/new-webmail/php-4.3.1/main/main.c:1573
#12 0x08144a43 in main (argc=1, argv=0xbffffec4)
    at /home/dsilvers/new-webmail/php-4.3.1/sapi/cgi/cgi_main.c:1424
(gdb) quit

Here's my configure line:

./configure  --enable-fastcgi --with-pgsql --disable-ipv6 --with-imap
--with-gettext --with-xml --with-mcrypt --prefix=/usr/local/webmail/php
--with-imap-ssl  --with-zlib --disable-safe-mode

Here's info about the system:

Linux salmon 2.4.18 #1 Thu Mar 14 19:06:39 GMT 2002 i686 unknown
 
It's a duron 600 based system with plenty of free ram and swap.

It is running Debian GNU/Linux 3.0r1 (Woody) with security patches

PHP is compiled up from source.

If there's any other information you need, just yell.

D.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=22638&edit=1

#22638 [Fbk->Opn]: Using Horde/IMP to read an email causes a crash

Reply via email to