dmitry Thu Oct 16 16:20:53 2008 UTC Modified files: (Branch: PHP_5_2) /php-src NEWS /php-src/ext/imap config.m4 php_imap.c Log: Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer overflow)
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1260&r2=1.2027.2.547.2.1261&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.1260 php-src/NEWS:1.2027.2.547.2.1261 --- php-src/NEWS:1.2027.2.547.2.1260 Thu Oct 16 15:36:45 2008 +++ php-src/NEWS Thu Oct 16 16:20:52 2008 @@ -16,6 +16,8 @@ - Fixed bug #44251, #41125 (PDO + quote() + prepare() can result in segfault). (tsteiner at nerdclub dot net) - Fixed bug #43723 (SOAP not sent properly from client for <choice>). (Dmitry) +- Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer + overflow). (Dmitry) - Fixed bug #42078 (pg_meta_data mix tables metadata from different schemas). (Felipe) - Fixed bug #37100 (data is returned truncated with BINARY CURSOR). (Tony) http://cvs.php.net/viewvc.cgi/php-src/ext/imap/config.m4?r1=1.69.4.7&r2=1.69.4.8&diff_format=u Index: php-src/ext/imap/config.m4 diff -u php-src/ext/imap/config.m4:1.69.4.7 php-src/ext/imap/config.m4:1.69.4.8 --- php-src/ext/imap/config.m4:1.69.4.7 Sun Feb 11 09:25:32 2007 +++ php-src/ext/imap/config.m4 Thu Oct 16 16:20:53 2008 @@ -1,5 +1,5 @@ dnl -dnl $Id: config.m4,v 1.69.4.7 2007/02/11 09:25:32 tony2001 Exp $ +dnl $Id: config.m4,v 1.69.4.8 2008/10/16 16:20:53 dmitry Exp $ dnl AC_DEFUN([IMAP_INC_CHK],[if test -r "$i$1/c-client.h"; then @@ -229,4 +229,34 @@ AC_MSG_RESULT(no) AC_MSG_ERROR([build test failed. Please check the config.log for details.]) ], $TST_LIBS) + + AC_MSG_CHECKING(whether rfc822_output_address_list function present) + PHP_TEST_BUILD(foobar, [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_RFC822_OUTPUT_ADDRESS_LIST, 1, [ ]) + ], [ + AC_MSG_RESULT(no) + ], [ + $TST_LIBS + ], [ + void mm_log(void){} + void mm_dlog(void){} + void mm_flags(void){} + void mm_fatal(void){} + void mm_critical(void){} + void mm_nocritical(void){} + void mm_notify(void){} + void mm_login(void){} + void mm_diskerror(void){} + void mm_status(void){} + void mm_lsub(void){} + void mm_list(void){} + void mm_exists(void){} + void mm_searched(void){} + void mm_expunged(void){} + void rfc822_output_address_list(void); + void (*f)(void); + char foobar () {f = rfc822_output_address_list;} + ]) + fi http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.208.2.7.2.36&r2=1.208.2.7.2.37&diff_format=u Index: php-src/ext/imap/php_imap.c diff -u php-src/ext/imap/php_imap.c:1.208.2.7.2.36 php-src/ext/imap/php_imap.c:1.208.2.7.2.37 --- php-src/ext/imap/php_imap.c:1.208.2.7.2.36 Mon Aug 4 21:16:22 2008 +++ php-src/ext/imap/php_imap.c Thu Oct 16 16:20:53 2008 @@ -26,7 +26,7 @@ | PHP 4.0 updates: Zeev Suraski <[EMAIL PROTECTED]> | +----------------------------------------------------------------------+ */ -/* $Id: php_imap.c,v 1.208.2.7.2.36 2008/08/04 21:16:22 jani Exp $ */ +/* $Id: php_imap.c,v 1.208.2.7.2.37 2008/10/16 16:20:53 dmitry Exp $ */ #define IMAP41 @@ -40,6 +40,7 @@ #include "ext/standard/php_string.h" #include "ext/standard/info.h" #include "ext/standard/file.h" +#include "ext/standard/php_smart_str.h" #ifdef ERROR #undef ERROR @@ -66,10 +67,11 @@ #define SENDBUFLEN 16385 #endif + static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC); static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); -static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); -static int _php_imap_address_size(ADDRESS *addresslist); +static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC); +static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC); /* the gets we use */ static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); @@ -2112,7 +2114,7 @@ { zval **mailbox, **host, **personal; ADDRESS *addr; - char string[MAILTMPLEN]; + char *string; if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) { ZEND_WRONG_PARAM_COUNT(); @@ -2140,13 +2142,12 @@ addr->error=NIL; addr->adl=NIL; - if (_php_imap_address_size(addr) >= MAILTMPLEN) { + string = _php_rfc822_write_address(addr TSRMLS_CC); + if (string) { + RETVAL_STRING(string, 0); + } else { RETURN_FALSE; } - - string[0]='\0'; - rfc822_write_address(string, addr); - RETVAL_STRING(string, 1); } /* }}} */ @@ -2880,7 +2881,7 @@ zval **streamind, **sequence, **pflags; pils *imap_le_struct; zval *myoverview; - char address[MAILTMPLEN]; + char *address; long status, flags=0L; int myargc = ZEND_NUM_ARGS(); @@ -2915,17 +2916,19 @@ if (env->subject) { add_property_string(myoverview, "subject", env->subject, 1); } - if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { + if (env->from) { env->from->next=NULL; - address[0] = '\0'; - rfc822_write_address(address, env->from); - add_property_string(myoverview, "from", address, 1); + address =_php_rfc822_write_address(env->from TSRMLS_CC); + if (address) { + add_property_string(myoverview, "from", address, 0); + } } - if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { + if (env->to) { env->to->next = NULL; - address[0] = '\0'; - rfc822_write_address(address, env->to); - add_property_string(myoverview, "to", address, 1); + address = _php_rfc822_write_address(env->to TSRMLS_CC); + if (address) { + add_property_string(myoverview, "to", address, 0); + } } if (env->date) { add_property_string(myoverview, "date", env->date, 1); @@ -3870,6 +3873,43 @@ /* }}} */ /* Support Functions */ + +#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST +/* {{{ _php_rfc822_soutr + */ +static long _php_rfc822_soutr (void *stream, char *string) +{ + smart_str *ret = (smart_str*)stream; + int len = strlen(string); + + smart_str_appendl(ret, string, len); + return LONGT; +} + +/* }}} */ + +/* {{{ _php_rfc822_write_address + */ +static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) +{ + char address[MAILTMPLEN]; + smart_str ret = {0}; + RFC822BUFFER buf; + + buf.beg = address; + buf.cur = buf.beg; + buf.end = buf.beg + sizeof(address) - 1; + buf.s = &ret; + buf.f = _php_rfc822_soutr; + rfc822_output_address_list(&buf, addresslist, 0, NULL); + rfc822_output_flush(&buf); + smart_str_0(&ret); + return ret.c; +} +/* }}} */ + +#else + /* {{{ _php_imap_get_address_size */ static int _php_imap_address_size (ADDRESS *addresslist) @@ -3899,26 +3939,33 @@ /* }}} */ +/* {{{ _php_rfc822_write_address + */ +static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) +{ + char address[SENDBUFLEN]; + if (_php_imap_address_size(addresslist) >= SENDBUFLEN) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow"); + return NULL; + } + address[0] = 0; + rfc822_write_address(address, addresslist); + return estrdup(address); +} +/* }}} */ +#endif /* {{{ _php_imap_parse_address */ -static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) +static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC) { + char *fulladdress; ADDRESS *addresstmp; zval *tmpvals; - char *tmpstr; - int len=0; addresstmp = addresslist; - if ((len = _php_imap_address_size(addresstmp))) { - tmpstr = (char *) pemalloc(len + 1, 1); - tmpstr[0] = '\0'; - rfc822_write_address(tmpstr, addresstmp); - *fulladdress = tmpstr; - } else { - *fulladdress = NULL; - } + fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC); addresstmp = addresslist; do { @@ -3930,6 +3977,7 @@ if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1); add_next_index_object(paddress, tmpvals TSRMLS_CC); } while ((addresstmp = addresstmp->next)); + return fulladdress; } /* }}} */ @@ -3956,10 +4004,9 @@ if (en->to) { MAKE_STD_ZVAL(paddress); array_init(paddress); - _php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC); + fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC); if (fulladdress) { - add_property_string(myzvalue, "toaddress", fulladdress, 1); - free(fulladdress); + add_property_string(myzvalue, "toaddress", fulladdress, 0); } add_assoc_object(myzvalue, "to", paddress TSRMLS_CC); } @@ -3967,10 +4014,9 @@ if (en->from) { MAKE_STD_ZVAL(paddress); array_init(paddress); - _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC); + fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC); if (fulladdress) { - add_property_string(myzvalue, "fromaddress", fulladdress, 1); - free(fulladdress); + add_property_string(myzvalue, "fromaddress", fulladdress, 0); } add_assoc_object(myzvalue, "from", paddress TSRMLS_CC); } @@ -3978,10 +4024,9 @@ if (en->cc) { MAKE_STD_ZVAL(paddress); array_init(paddress); - _php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC); + fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC); if (fulladdress) { - add_property_string(myzvalue, "ccaddress", fulladdress, 1); - free(fulladdress); + add_property_string(myzvalue, "ccaddress", fulladdress, 0); } add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC); } @@ -3989,10 +4034,9 @@ if (en->bcc) { MAKE_STD_ZVAL(paddress); array_init(paddress); - _php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC); + fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC); if (fulladdress) { - add_property_string(myzvalue, "bccaddress", fulladdress, 1); - free(fulladdress); + add_property_string(myzvalue, "bccaddress", fulladdress, 0); } add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC); } @@ -4000,10 +4044,9 @@ if (en->reply_to) { MAKE_STD_ZVAL(paddress); array_init(paddress); - _php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC); + fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC); if (fulladdress) { - add_property_string(myzvalue, "reply_toaddress", fulladdress, 1); - free(fulladdress); + add_property_string(myzvalue, "reply_toaddress", fulladdress, 0); } add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC); } @@ -4011,10 +4054,9 @@ if (en->sender) { MAKE_STD_ZVAL(paddress); array_init(paddress); - _php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC); + fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC); if (fulladdress) { - add_property_string(myzvalue, "senderaddress", fulladdress, 1); - free(fulladdress); + add_property_string(myzvalue, "senderaddress", fulladdress, 0); } add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC); } @@ -4022,10 +4064,9 @@ if (en->return_path) { MAKE_STD_ZVAL(paddress); array_init(paddress); - _php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC); + fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC); if (fulladdress) { - add_property_string(myzvalue, "return_pathaddress", fulladdress, 1); - free(fulladdress); + add_property_string(myzvalue, "return_pathaddress", fulladdress, 0); } add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC); }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php