ID: 48619 Comment by: andy at webtatic dot com Reported By: andy at webtatic dot com Status: Assigned Bug Type: IMAP related Operating System: CentOS 5.3 i386 PHP Version: 5.2.10 Assigned To: pajoye New Comment:
SE_FREE is also a PHP constant, so the user (for some reason), might pass in the flag SE_FREE | SE_UID, which a direct != will not match SE_FREE on, causing the same issue. You should probably do a bitwise check for the flag in your case. Previous Comments: ------------------------------------------------------------------------ [2009-06-20 21:15:49] paj...@php.net I made one already too, http://pastebin.com/m22b58a19 I prefer this way as there is no ambiguity, I also fixed the other locations where a similar situation can happen. I have to merge into head and it will committed. Thanks for your work! ------------------------------------------------------------------------ [2009-06-20 20:54:37] andy at webtatic dot com I've made a patch for it, as I'd like to have it patched in my rpms of 5.2.10. I can't see anywhere to upload files, so I'll post it here, only short: --- php-5.2.10/ext/imap/php_imap.c.pgmfree 2009-06-20 21:44:54.000000000 +0100 +++ php-5.2.10/ext/imap/php_imap.c 2009-06-20 21:45:16.000000000 +0100 @@ -3701,7 +3701,7 @@ flags = SE_FREE; } else { convert_to_long_ex(search_flags); - flags = Z_LVAL_PP(search_flags); + flags = Z_LVAL_PP(search_flags) & SE_FREE; if (argc == 4) { convert_to_string_ex(charset); } @@ -3712,10 +3712,6 @@ mail_search_full(imap_le_struct->imap_stream, (argc == 4 ? Z_STRVAL_PP(charset) : NIL), pgm, flags); - if (pgm) { - mail_free_searchpgm(&pgm); - } - if (IMAPG(imap_messages) == NIL) { efree(search_criteria); RETURN_FALSE; ------------------------------------------------------------------------ [2009-06-20 20:39:22] paj...@php.net Ah nice catch for this edge case. I will fix it soonish. Thanks :) ------------------------------------------------------------------------ [2009-06-20 20:34:39] andy at webtatic dot com Also looking at c-client's latest, the same internal free happens, so will cause the same problem. ------------------------------------------------------------------------ [2009-06-20 20:30:30] andy at webtatic dot com Ok, I did some investigating and found out it is caused by the fix #47940. If no search flags are set, you set flags to SE_FREE, which mail_search_full then frees the pgm internally, but then you then free again, causing the segfault. This will be an issue on any OS. The correct way to do it would probably be to always add the SE_FREE flag and let it do it itself, and not free in imap_search. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/48619 -- Edit this bug report at http://bugs.php.net/?id=48619&edit=1
