From: askalski at gmail dot com
Operating system: Ubuntu 12.04 LTS
PHP version: master-Git-2013-03-20 (Git)
Package: IMAP related
Bug Type: Bug
Bug description:Segmentation fault after imap_reopen failure
Description:
------------
Versions: 5.2, 5.3, 5.4, also confirmed on latest git master
(78acb84b6e8fc07974283ce30c24596444d18cf7)
PHP will crash with a Segmentation Fault after imap_reopen() fails with the
error message "imap_reopen(): Couldn't re-open stream ..."
When the UW-IMAP function 'mail_open' returns NIL after having been passed
a valid MAILSTREAM pointer, this means UW-IMAP closed and freed the
MAILSTREAM. However, PHP ignores this and returns FALSE without zeroing
out imap_le_struct->imap_stream and calling zend_list_delete on the
resource.
Because the resource was not freed, mail_close_it (the resource destructor)
gets called on an invalid pointer during request shutdown. If you're
lucky, this crashes PHP with a Segmentation Fault. (If you're unlucky,
you've got a corrupt PHP interpreter handling new requests...)
Test script:
---------------
<?php
/* This should succeed */
$imap = imap_open("INBOX", "", "");
echo "imap_open returned: ";
var_dump($imap);
/* This should fail */
$reopen = imap_reopen($imap, "{this*connection*will*fail}");
echo "imap_reopen returned: ";
var_dump($reopen);
flush();
/* Brace yourself for a segfault. UW-IMAP freed the MAILSTREAM structure,
* but PHP did not null out the pointer or free the resource. When the
* script exits, it will call the resource destructor (mail_close_it)
* on a pointer that was already freed.
*/
?>
Expected result:
----------------
No crash.
Actual result:
--------------
$ /tmp/z/bin/php -v
PHP 5.6.0-dev (cli) (built: Mar 20 2013 12:13:31)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.6.0-dev, Copyright (c) 1998-2013 Zend Technologies
$ /tmp/z/bin/php imap-crash.php
imap_open returned: resource(4) of type (imap)
Warning: imap_reopen(): Couldn't re-open stream in /tmp/imap-crash.php on
line 10
imap_reopen returned: bool(false)
Segmentation fault (core dumped)
--
Edit bug report at https://bugs.php.net/bug.php?id=64467&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=64467&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=64467&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=64467&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=64467&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=64467&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=64467&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=64467&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=64467&r=oldversion
Not developer issue: https://bugs.php.net/fix.php?id=64467&r=support
Expected behavior: https://bugs.php.net/fix.php?id=64467&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=64467&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=64467&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=64467&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=64467&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=64467&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=64467&r=isapi
Install GNU Sed: https://bugs.php.net/fix.php?id=64467&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=64467&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=64467&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=64467&r=mysqlcfg
