ID: 40925
Updated by: [EMAIL PROTECTED]
Reported By: dan at westernitgroup dot com
-Status: Open
+Status: Feedback
Bug Type: IMAP related
Operating System: Linux
PHP Version: 4.4.6
New Comment:
Doesn't look like PHP problem.
Please update c-client to the latest available version and rebuild PHP.
Previous Comments:
------------------------------------------------------------------------
[2007-03-26 18:57:38] dan at westernitgroup dot com
Description:
------------
Apache Core Dumps with a call to fatal("rfc822.c legacy routine buffer
overflow") in IMAP rfc822.c .
Buffer overflow is being caused by writing more than SENDBUFLEN bytes
to IMAP outbut buffer.
What is the appropriate limit for this define? (currently set to
16385).
Reproduce code:
---------------
Running Horde/IMP during email compose.
Expected result:
----------------
No Core Dump
Actual result:
--------------
Core Dump
GDB Stackdump
#1 0x42028a73 in abort () from /lib/tls/libc.so.6
No symbol table info available.
#2 0xb7bbcf65 in fatal (string=0xb7cb6100 "rfc822.c legacy routine
buffer overflow") at ftl_unix.c:38
No locals.
#3 0xb7bdf2dc in rfc822_legacy_soutr (stream=0x0,
string=0x89485a8 "[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],"...) at
rfc822.c:2156
No locals.
#4 0xb7bddac7 in rfc822_output_flush (buf=0x42130a14) at
rfc822.c:1368
No locals.
#5 0xb7bdda5a in rfc822_output_data (buf=0xbfff1ef0, string=0x8915137
"ools.com", len=8) at rfc822.c:1341
i = 15
#6 0xb7bddaa7 in rfc822_output_string (buf=0xbfff1ef0,
string=0x42130a14 "
\t\023BP÷Ô·°lÿ·Ð\235\aB^P\001BnP\001B~P\001BÀFÿ·\220Á\aB®P\001BÐ2\aBÎP\001BÞP\001B\0205\aBð]ÿ·\016Q\001B\036Q\001B.Q\001BP§\aBNQ\001B^Q\001BnQ\001B~Q\001B\216Q\001BÀyÿ·®Q\001B¾Q\001BÎQ\001B`)ÿ·Pº\aBà¬\aB")
at rfc822.c:1354
No locals.
#7 0xb7bde1d5 in rfc822_output_address (buf=0xbfff1ef0, adr=0x89150f0)
at rfc822.c:1561
No locals.
#8 0xb7bddfd1 in rfc822_output_address_list (buf=0xbfff1ef0,
adr=0x89150f0, pretty=0, specials=0x0) at rfc822.c:1515
n = 0
#9 0xb7bdf450 in rfc822_write_address_full (
dest=0x42130a14 "
\t\023BP÷Ô·°lÿ·Ð\235\aB^P\001BnP\001B~P\001BÀFÿ·\220Á\aB®P\001BÐ2\aBÎP\001BÞP\001B\0205\aBð]ÿ·\016Q\001B\036Q\001B.Q\001BP§\aBNQ\001B^Q\001BnQ\001B~Q\001B\216Q\001BÀyÿ·®Q\001B¾Q\001BÎQ\001B`)ÿ·Pº\aBà¬\aB",
adr=0x88d6fa0, base=0x0) at rfc822.c:2229
buf = {f = 0xb7bdf2cc <rfc822_legacy_soutr>, s = 0x0,
beg = 0x89485a8 "[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],"...,
cur = 0x89485a8 "[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],"..., end =
0x894c5a8 ""}
#10 0xb7afdfcf in _php_imap_parse_address (addresslist=0x88d6fa0,
fulladdress=0xbfff1f68, paddress=0x890397c) at
/root/progs/php-4.4.6/ext/imap/php_imap.c:3740
addresstmp = (struct mail_address *) 0x88d6fa0
tmpvals = (zval *) 0x89485a8
len = 0
#11 0xb7afe36e in _php_make_header_object (myzvalue=0x882f534,
en=0x88d7fe8) at /root/progs/php-4.4.6/ext/imap/php_imap.c:3782
paddress = (zval *) 0x890397c
fulladdress = 0x0
#12 0xb7af67fb in zif_imap_headerinfo (ht=143491048,
return_value=0x882f534, this_ptr=0x0, return_value_used=1) at
/root/progs/php-4.4.6/ext/imap/php_imap.c:1531
streamind = (zval **) 0x8399f84
msgno = (zval **) 0x8399f88
fromlength = (zval **) 0x0
subjectlength = (zval **) 0x0
defaulthost = (zval **) 0x0
imap_le_struct = (pils *) 0x839acd4
cache = (MESSAGECACHE *) 0x88f3ea0
en = (ENVELOPE *) 0x88d7fe8
dummy = "\220*ÿ¿;
÷\000\000\000\000\000\000\000\000¸/ÿ¿|û\212\b\b$ÿ¿A\235º·\214\177\220\b|[EMAIL
PROTECTED]&ÿ¿X1ÿ¿H*ÿ¿U\221\004B¸/ÿ¿X1ÿ¿\023y»·\f\000\000\000
$ÿ¿ \235Ñ·\000\000\000\000X\027\213\b;
÷è*ÿ¿Ëd\004B4$ÿ¿<3\213\b\000\000\000\000P\230\211\b\002\000\000\000E",
'\0' <repeats 11 times>,
"\001\000\000\000\\\000\000\000X5\213\b\001\000\001\000\001\000\000\000>è\215\b\001\000\000\000\001\000\001\000\001\000\000\000\220\230\211\b\001"...
fulladdress = '\0' <repeats 40 times>, "
\000\000\000\000\000\000\000\000)", '\0' <repeats 74 times>, "0
ÿ¿\\\"P\b", '\0' <repeats 20 times>, "L
ÿ¿4eV\b\000\000\000\000`\"\022B", '\0' <repeats 12 times>, "h ÿ¿¼Yo\b",
'\0' <repeats 18 times>, "d ", '\0' <repeats 16 times>, "\001", '\0'
<repeats 31 times>, "\227%ÿ¿\n\000\000\000\000\000\000\000H
Ñ·\000\000\000\000\000\000\000\0008
÷`!ÿ¿\000\000\000\000\001\000\000\000È&ÿ¿\230%ÿ¿\000\000\000\000;
÷\001\000\000\000ÿÿÿÿ", '\0' <repeats 16 times>, "¼Yo\b¼Yo\b(!ÿ"...
#13 0xb7bb7752 in execute (op_array=0x883e904) at
/root/progs/php-4.4.6/Zend/zend_execute.c:1681
execute_data = {opline = 0x8840e24, function_state =
{function_symbol_table = 0x84dd274, function = 0x832f358, reserved =
{0xe7, 0x890430c, 0xaeb5103, 0x7400000f}}, fbc = 0x0, ce = 0x0, object =
{
ptr = 0x0}, Ts = 0xbfff2bb0, original_in_execution = 1 '\001',
op_array = 0x883e904, prev_execute_data = 0xbfff3890}
#14 0xb7bb7505 in execute (op_array=0x883ea54) at
/root/progs/php-4.4.6/Zend/zend_execute.c:1725
execute_data = {opline = 0x8843070, function_state =
{function_symbol_table = 0x84dcdcc, function = 0x883e904, reserved =
{0xe8, 0x890430c, 0xaeb5103, 0x7400000a}}, fbc = 0x883e904, ce = 0x0,
object = {ptr = 0x88954a4}, Ts = 0xbfff2ff0, original_in_execution =
1 '\001', op_array = 0x883ea54, prev_execute_data = 0xbfffc8d0}
#15 0xb7bb7505 in execute (op_array=0x8386ba4) at
/root/progs/php-4.4.6/Zend/zend_execute.c:1725
execute_data = {opline = 0xb736cfec, function_state =
{function_symbol_table = 0x84efbdc, function = 0x883ea54, reserved =
{0xb7ba5836, 0x8386f7c, 0xbfffeb70, 0x0}}, fbc = 0x883ea54, ce = 0x0,
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=40925&edit=1
