Edit report at https://bugs.php.net/bug.php?id=64467&edit=1
ID: 64467 Updated by: fel...@php.net Reported by: askalski at gmail dot com Summary: Segmentation fault after imap_reopen failure -Status: Open +Status: Closed Type: Bug Package: IMAP related Operating System: Ubuntu 12.04 LTS PHP Version: master-Git-2013-03-20 (Git) Block user comment: N Private report: N New Comment: Automatic comment on behalf of felipe...@gmail.com Revision: http://git.php.net/?p=php-src.git;a=commit;h=60dcc5851f0dd7cf387270d6ba243f9ac46bc396 Log: - Fixed bug #64467 (Segmentation fault after imap_reopen failure) patch by: askalski at gmail dot com Previous Comments: ------------------------------------------------------------------------ [2013-03-20 16:30:08] askalski at gmail dot com Description: ------------ Versions: 5.2, 5.3, 5.4, also confirmed on latest git master (78acb84b6e8fc07974283ce30c24596444d18cf7) PHP will crash with a Segmentation Fault after imap_reopen() fails with the error message "imap_reopen(): Couldn't re-open stream ..." When the UW-IMAP function 'mail_open' returns NIL after having been passed a valid MAILSTREAM pointer, this means UW-IMAP closed and freed the MAILSTREAM. However, PHP ignores this and returns FALSE without zeroing out imap_le_struct->imap_stream and calling zend_list_delete on the resource. Because the resource was not freed, mail_close_it (the resource destructor) gets called on an invalid pointer during request shutdown. If you're lucky, this crashes PHP with a Segmentation Fault. (If you're unlucky, you've got a corrupt PHP interpreter handling new requests...) Test script: --------------- <?php /* This should succeed */ $imap = imap_open("INBOX", "", ""); echo "imap_open returned: "; var_dump($imap); /* This should fail */ $reopen = imap_reopen($imap, "{this*connection*will*fail}"); echo "imap_reopen returned: "; var_dump($reopen); flush(); /* Brace yourself for a segfault. UW-IMAP freed the MAILSTREAM structure, * but PHP did not null out the pointer or free the resource. When the * script exits, it will call the resource destructor (mail_close_it) * on a pointer that was already freed. */ ?> Expected result: ---------------- No crash. Actual result: -------------- $ /tmp/z/bin/php -v PHP 5.6.0-dev (cli) (built: Mar 20 2013 12:13:31) Copyright (c) 1997-2013 The PHP Group Zend Engine v2.6.0-dev, Copyright (c) 1998-2013 Zend Technologies $ /tmp/z/bin/php imap-crash.php imap_open returned: resource(4) of type (imap) Warning: imap_reopen(): Couldn't re-open stream in /tmp/imap-crash.php on line 10 imap_reopen returned: bool(false) Segmentation fault (core dumped) ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64467&edit=1
