dmitry          Thu Oct 16 16:20:53 2008 UTC

  Modified files:              (Branch: PHP_5_2)
    /php-src    NEWS 
    /php-src/ext/imap   config.m4 php_imap.c 
  Log:
  Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer overflow)
  
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1260&r2=1.2027.2.547.2.1261&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.1260 php-src/NEWS:1.2027.2.547.2.1261
--- php-src/NEWS:1.2027.2.547.2.1260    Thu Oct 16 15:36:45 2008
+++ php-src/NEWS        Thu Oct 16 16:20:52 2008
@@ -16,6 +16,8 @@
 - Fixed bug #44251, #41125 (PDO + quote() + prepare() can result in segfault).
   (tsteiner at nerdclub dot net)
 - Fixed bug #43723 (SOAP not sent properly from client for <choice>). (Dmitry)
+- Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer
+  overflow). (Dmitry)
 - Fixed bug #42078 (pg_meta_data mix tables metadata from different schemas).
   (Felipe)
 - Fixed bug #37100 (data is returned truncated with BINARY CURSOR). (Tony)
http://cvs.php.net/viewvc.cgi/php-src/ext/imap/config.m4?r1=1.69.4.7&r2=1.69.4.8&diff_format=u
Index: php-src/ext/imap/config.m4
diff -u php-src/ext/imap/config.m4:1.69.4.7 php-src/ext/imap/config.m4:1.69.4.8
--- php-src/ext/imap/config.m4:1.69.4.7 Sun Feb 11 09:25:32 2007
+++ php-src/ext/imap/config.m4  Thu Oct 16 16:20:53 2008
@@ -1,5 +1,5 @@
 dnl
-dnl $Id: config.m4,v 1.69.4.7 2007/02/11 09:25:32 tony2001 Exp $
+dnl $Id: config.m4,v 1.69.4.8 2008/10/16 16:20:53 dmitry Exp $
 dnl
 
 AC_DEFUN([IMAP_INC_CHK],[if test -r "$i$1/c-client.h"; then
@@ -229,4 +229,34 @@
       AC_MSG_RESULT(no)
       AC_MSG_ERROR([build test failed. Please check the config.log for 
details.])
     ], $TST_LIBS)
+
+    AC_MSG_CHECKING(whether rfc822_output_address_list function present)
+    PHP_TEST_BUILD(foobar, [
+      AC_MSG_RESULT(yes)
+      AC_DEFINE(HAVE_RFC822_OUTPUT_ADDRESS_LIST, 1, [ ])
+    ], [
+      AC_MSG_RESULT(no)
+       ], [
+      $TST_LIBS
+    ], [
+      void mm_log(void){}
+      void mm_dlog(void){}
+      void mm_flags(void){}
+      void mm_fatal(void){}
+      void mm_critical(void){}
+      void mm_nocritical(void){}
+      void mm_notify(void){}
+      void mm_login(void){}
+      void mm_diskerror(void){}
+      void mm_status(void){}
+      void mm_lsub(void){}
+      void mm_list(void){}
+      void mm_exists(void){}
+      void mm_searched(void){}
+      void mm_expunged(void){}
+      void rfc822_output_address_list(void);
+      void (*f)(void);
+      char foobar () {f = rfc822_output_address_list;}
+    ])
+
 fi
http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.208.2.7.2.36&r2=1.208.2.7.2.37&diff_format=u
Index: php-src/ext/imap/php_imap.c
diff -u php-src/ext/imap/php_imap.c:1.208.2.7.2.36 
php-src/ext/imap/php_imap.c:1.208.2.7.2.37
--- php-src/ext/imap/php_imap.c:1.208.2.7.2.36  Mon Aug  4 21:16:22 2008
+++ php-src/ext/imap/php_imap.c Thu Oct 16 16:20:53 2008
@@ -26,7 +26,7 @@
    | PHP 4.0 updates:  Zeev Suraski <[EMAIL PROTECTED]>                       |
    +----------------------------------------------------------------------+
  */
-/* $Id: php_imap.c,v 1.208.2.7.2.36 2008/08/04 21:16:22 jani Exp $ */
+/* $Id: php_imap.c,v 1.208.2.7.2.37 2008/10/16 16:20:53 dmitry Exp $ */
 
 #define IMAP41
 
@@ -40,6 +40,7 @@
 #include "ext/standard/php_string.h"
 #include "ext/standard/info.h"
 #include "ext/standard/file.h"
+#include "ext/standard/php_smart_str.h"
 
 #ifdef ERROR
 #undef ERROR
@@ -66,10 +67,11 @@
 #define SENDBUFLEN 16385
 #endif
 
+
 static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC);
 static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC);
-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, 
zval *paddress TSRMLS_DC);
-static int _php_imap_address_size(ADDRESS *addresslist);
+static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress 
TSRMLS_DC);
+static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC);
 
 /* the gets we use */
 static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, 
GETS_DATA *md);
@@ -2112,7 +2114,7 @@
 {
        zval **mailbox, **host, **personal;
        ADDRESS *addr;
-       char string[MAILTMPLEN];
+       char *string;
 
        if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, 
&personal) == FAILURE) {
                ZEND_WRONG_PARAM_COUNT();
@@ -2140,13 +2142,12 @@
        addr->error=NIL;
        addr->adl=NIL;
 
-       if (_php_imap_address_size(addr) >= MAILTMPLEN) {
+       string = _php_rfc822_write_address(addr TSRMLS_CC);
+       if (string) {
+               RETVAL_STRING(string, 0);
+       } else {
                RETURN_FALSE;
        }
-
-       string[0]='\0';
-       rfc822_write_address(string, addr);
-       RETVAL_STRING(string, 1);
 }
 /* }}} */
 
@@ -2880,7 +2881,7 @@
        zval **streamind, **sequence, **pflags;
        pils *imap_le_struct;
        zval *myoverview;
-       char address[MAILTMPLEN];
+       char *address;
        long status, flags=0L;
        int myargc = ZEND_NUM_ARGS();
        
@@ -2915,17 +2916,19 @@
                                if (env->subject) {
                                        add_property_string(myoverview, 
"subject", env->subject, 1);
                                }
-                               if (env->from && 
_php_imap_address_size(env->from) < MAILTMPLEN) {
+                               if (env->from) {
                                        env->from->next=NULL;
-                                       address[0] = '\0';
-                                       rfc822_write_address(address, 
env->from);
-                                       add_property_string(myoverview, "from", 
address, 1);
+                                       address 
=_php_rfc822_write_address(env->from TSRMLS_CC);
+                                       if (address) {
+                                               add_property_string(myoverview, 
"from", address, 0);
+                                       }
                                }
-                               if (env->to && _php_imap_address_size(env->to) 
< MAILTMPLEN) {
+                               if (env->to) {
                                        env->to->next = NULL;
-                                       address[0] = '\0';
-                                       rfc822_write_address(address, env->to);
-                                       add_property_string(myoverview, "to", 
address, 1);
+                                       address = 
_php_rfc822_write_address(env->to TSRMLS_CC);
+                                       if (address) {
+                                               add_property_string(myoverview, 
"to", address, 0);
+                                       }
                                }
                                if (env->date) {
                                        add_property_string(myoverview, "date", 
env->date, 1);
@@ -3870,6 +3873,43 @@
 /* }}} */
 
 /* Support Functions */
+
+#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST
+/* {{{ _php_rfc822_soutr
+ */
+static long _php_rfc822_soutr (void *stream, char *string)
+{
+       smart_str *ret = (smart_str*)stream;
+       int len = strlen(string);
+
+       smart_str_appendl(ret, string, len);    
+       return LONGT;
+}
+
+/* }}} */
+
+/* {{{ _php_rfc822_write_address
+ */
+static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC)
+{
+       char address[MAILTMPLEN];
+       smart_str ret = {0};
+       RFC822BUFFER buf;
+
+       buf.beg = address;
+       buf.cur = buf.beg;
+       buf.end = buf.beg + sizeof(address) - 1;
+       buf.s = &ret;
+       buf.f = _php_rfc822_soutr;
+       rfc822_output_address_list(&buf, addresslist, 0, NULL);
+       rfc822_output_flush(&buf);
+       smart_str_0(&ret);
+       return ret.c;
+}
+/* }}} */
+
+#else
+
 /* {{{ _php_imap_get_address_size
  */
 static int _php_imap_address_size (ADDRESS *addresslist)
@@ -3899,26 +3939,33 @@
 
 /* }}} */
 
+/* {{{ _php_rfc822_write_address
+ */
+static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC)
+{
+       char address[SENDBUFLEN];
 
+       if (_php_imap_address_size(addresslist) >= SENDBUFLEN) {
+               php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer 
overflow");
+               return NULL;
+       }
+       address[0] = 0;
+       rfc822_write_address(address, addresslist);
+       return estrdup(address);
+}
+/* }}} */
+#endif
 /* {{{ _php_imap_parse_address
  */
-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, 
zval *paddress TSRMLS_DC)
+static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress 
TSRMLS_DC)
 {
+       char *fulladdress;
        ADDRESS *addresstmp;
        zval *tmpvals;
-       char *tmpstr;
-       int len=0;
                
        addresstmp = addresslist;
 
-       if ((len = _php_imap_address_size(addresstmp))) {
-               tmpstr = (char *) pemalloc(len + 1, 1);
-               tmpstr[0] = '\0';
-               rfc822_write_address(tmpstr, addresstmp);
-               *fulladdress = tmpstr;
-       } else {
-               *fulladdress = NULL;
-       }
+       fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC);
        
        addresstmp = addresslist;
        do {
@@ -3930,6 +3977,7 @@
                if (addresstmp->host) add_property_string(tmpvals, "host", 
addresstmp->host, 1);
                add_next_index_object(paddress, tmpvals TSRMLS_CC);
        } while ((addresstmp = addresstmp->next));
+       return fulladdress;
 }
 /* }}} */
 
@@ -3956,10 +4004,9 @@
        if (en->to) {
                MAKE_STD_ZVAL(paddress);
                array_init(paddress);
-               _php_imap_parse_address(en->to, &fulladdress, paddress 
TSRMLS_CC);
+               fulladdress = _php_imap_parse_address(en->to, paddress 
TSRMLS_CC);
                if (fulladdress) {
-                       add_property_string(myzvalue, "toaddress", fulladdress, 
1);
-                       free(fulladdress);
+                       add_property_string(myzvalue, "toaddress", fulladdress, 
0);
                }
                add_assoc_object(myzvalue, "to", paddress TSRMLS_CC);
        }
@@ -3967,10 +4014,9 @@
        if (en->from) {
                MAKE_STD_ZVAL(paddress);
                array_init(paddress);
-               _php_imap_parse_address(en->from, &fulladdress, paddress 
TSRMLS_CC);
+               fulladdress = _php_imap_parse_address(en->from, paddress 
TSRMLS_CC);
                if (fulladdress) {
-                       add_property_string(myzvalue, "fromaddress", 
fulladdress, 1);
-                       free(fulladdress);
+                       add_property_string(myzvalue, "fromaddress", 
fulladdress, 0);
                }
                add_assoc_object(myzvalue, "from", paddress TSRMLS_CC);
        }
@@ -3978,10 +4024,9 @@
        if (en->cc) {
                MAKE_STD_ZVAL(paddress);
                array_init(paddress);
-               _php_imap_parse_address(en->cc, &fulladdress, paddress 
TSRMLS_CC);
+               fulladdress = _php_imap_parse_address(en->cc, paddress 
TSRMLS_CC);
                if (fulladdress) {
-                       add_property_string(myzvalue, "ccaddress", fulladdress, 
1);
-                       free(fulladdress);
+                       add_property_string(myzvalue, "ccaddress", fulladdress, 
0);
                }
                add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC);
        }
@@ -3989,10 +4034,9 @@
        if (en->bcc) {
                MAKE_STD_ZVAL(paddress);
                array_init(paddress);
-               _php_imap_parse_address(en->bcc, &fulladdress, paddress 
TSRMLS_CC);
+               fulladdress = _php_imap_parse_address(en->bcc, paddress 
TSRMLS_CC);
                if (fulladdress) {
-                       add_property_string(myzvalue, "bccaddress", 
fulladdress, 1);
-                       free(fulladdress);
+                       add_property_string(myzvalue, "bccaddress", 
fulladdress, 0);
                }
                add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC);
        }
@@ -4000,10 +4044,9 @@
        if (en->reply_to) {
                MAKE_STD_ZVAL(paddress);
                array_init(paddress);
-               _php_imap_parse_address(en->reply_to, &fulladdress, paddress 
TSRMLS_CC);
+               fulladdress = _php_imap_parse_address(en->reply_to, paddress 
TSRMLS_CC);
                if (fulladdress) {
-                       add_property_string(myzvalue, "reply_toaddress", 
fulladdress, 1);
-                       free(fulladdress);
+                       add_property_string(myzvalue, "reply_toaddress", 
fulladdress, 0);
                }
                add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC);
        }
@@ -4011,10 +4054,9 @@
        if (en->sender) {
                MAKE_STD_ZVAL(paddress);
                array_init(paddress);
-               _php_imap_parse_address(en->sender, &fulladdress, paddress 
TSRMLS_CC);
+               fulladdress = _php_imap_parse_address(en->sender, paddress 
TSRMLS_CC);
                if (fulladdress) {
-                       add_property_string(myzvalue, "senderaddress", 
fulladdress, 1);
-                       free(fulladdress);
+                       add_property_string(myzvalue, "senderaddress", 
fulladdress, 0);
                }
                add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC);
        }
@@ -4022,10 +4064,9 @@
        if (en->return_path) {
                MAKE_STD_ZVAL(paddress);
                array_init(paddress);
-               _php_imap_parse_address(en->return_path, &fulladdress, paddress 
TSRMLS_CC);
+               fulladdress = _php_imap_parse_address(en->return_path, paddress 
TSRMLS_CC);
                if (fulladdress) {
-                       add_property_string(myzvalue, "return_pathaddress", 
fulladdress, 1);
-                       free(fulladdress);
+                       add_property_string(myzvalue, "return_pathaddress", 
fulladdress, 0);
                }
                add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC);
        }

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to