From: [EMAIL PROTECTED]
Operating system: RH Linux 7.3
PHP version: 4.2.3
PHP Bug Type: IMAP related
Bug description: PHP crashes with signal 11 while trying to parse message with
uncommon headers
Hi,
I found two bugs on the imap handling functions in PHP 4.2.3:
- If a message contains a header with empty contents (like Reply-to:
or Sender: ), the web server running php crashes whenever a script tries
to parse this message. I ran Apache 1.3.26 compiled agains ElectricFence
and found out that the bug is on _php_make_header_object: if thethe header
contents are empty, _php_imap_parse_address won't allocate memory for
fulladdress, but the function will call free() on fulladdress
nevertheless.This leads to heap corruption and subsequent segmentation
fault.
- It seems like _php_imap_address_size doesn't compute the header size
correctly. If the number of addresses in a field is very large, this leads
to a buffer overflow in c-client's rfc822_address.
My setup is:
Apache 1.3.26
PHP 4.2.3 compiled as a DSO with the following options:
/configure --prefix=/data/www/consumer/conf --enable-track-vars
--with-imap=/usr/local/app/imap-2002 --with-ldap=/usr/local/app/openldap
--with-oracle=/usr/local/app/oracle_client
--with-oci8=/usr/local/app/oracle_client
--with-apxs=/data/www/consumer/bin/apxs
--with-msession=/usr/local/app/phoenix --with-mysql
--with-openssl=/usr/local/app/openssl --with-xml
--with-curl=/usr/local/app/curl
Test messages:
- For the first bug: any message with a header field with empty
contents (like Sender: )
- For the second bug: any message with a large(In my test there were
500) number of recipients on the To: or Cc: fields.
Backtrace for the first bug:
0x4009fa01 in __kill () at __kill:-1
#1 0x0809a69d in EF_Abort (pattern=0x80aa540 free(%a): address not from
malloc().) at print.c:137
#2 0x08099f2a in free (address=0x4eacabcc) at efence.c:632
#3 0x404cc5b3 in _php_make_header_object (myzvalue=0x4ec6ffec,
en=0x4ee32fbc) at php_imap.c:3724
#4 0x404c186b in zif_imap_headerinfo (ht=2, return_value=0x4ec6ffec,
this_ptr=0x0, return_value_used=1) at php_imap.c:1631
#5 0x40482e39 in execute (op_array=0x463affa4) at ./zend_execute.c:1598
#6 0x40493b2c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at zend.c:812
#7 0x404a63b6 in php_execute_script (primary_file=0xb6b0) at
main.c:1383
#8 0x404a0dbe in apache_php_module_main (r=0x445b9028,
display_source_mode=0) at sapi_apache.c:90
#9 0x404a1c2c in send_php (r=0x445b9028, display_source_mode=0,
filename=0x445bacc8 /data/www/consumer/htdocs/memail/mailbox.php3)
at mod_php4.c:575
#10 0x404a1c99 in send_parsed_php (r=0x445b9028) at mod_php4.c:590
#11 0x08055287 in ap_invoke_handler ()
#12 0x0806a307 in process_request_internal ()
#13 0x0806a368 in ap_process_request ()
#14 0x08061289 in child_main ()
#15 0x08061458 in make_child ()
#16 0x080615cc in startup_children ()
#17 0x08061c44 in standalone_main ()
#18 0x080624c3 in main ()
#19 0x4008d507 in __libc_start_main (main=0x8062100 main, argc=2,
ubp_av=0xbae4, init=0x804f718 _init,
fini=0x809a8f0 _fini, rtld_fini=0x4000dc14 _dl_fini,
stack_end=0xbadc) at ../sysdeps/generic/libc-start.c:129
Backtrace for the second bug:
#0 0x400f68f7 in strcat () at strcat:-1
#1 0x4f5e7fe8 in ?? ()
#2 0x405b74b9 in rfc822_write_address_full (
dest=0x4faa36a8 \[EMAIL PROTECTED]\ [EMAIL PROTECTED],
\[EMAIL PROTECTED]\ [EMAIL PROTECTED],
\[EMAIL PROTECTED]\ [EMAIL PROTECTED],
\[EMAIL PROTECTED]\ agre...,
adr=0x4eea7fe8, base=0x0) at rfc822.c:193
#3 0x404cbce6 in _php_imap_parse_address (addresslist=0x4eea7fe8,
fulladdress=0xbfff472c, paddress=0x4f6eafec)
at php_imap.c:3626
#4 0x404cc173 in _php_make_header_object (myzvalue=0x4f6adfec,
en=0x4eba5fbc) at php_imap.c:3667
#5 0x404c186b in zif_imap_headerinfo (ht=2, return_value=0x4f6adfec,
this_ptr=0x0, return_value_used=1) at php_imap.c:1631
#6 0x40482e39 in execute (op_array=0x446b1fa4) at ./zend_execute.c:1598
#7 0x40493b2c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at zend.c:812
#8 0x404a63b6 in php_execute_script (primary_file=0xb6d0) at
main.c:1383
#9 0x404a0dbe in apache_php_module_main (r=0x445b9028,
display_source_mode=0) at sapi_apache.c:90
#10 0x404a1c2c in send_php (r=0x445b9028, display_source_mode=0,
filename=0x445bace8 /data/www/consumer/htdocs/memail/mailbox.php3)
at mod_php4.c:575
#11 0x404a1c99 in send_parsed_php (r=0x445b9028) at mod_php4.c:590
#12 0x08055287 in ap_invoke_handler ()
#13 0x0806a307 in process_request_internal ()
#14 0x0806a368 in ap_process_request ()
#15 0x08061289 in child_main ()
#16 0x08061458 in make_child ()
#17 0x080615cc in startup_children ()
#18 0x08061c44 in standalone_main ()
#19 0x080624c3 in main ()
#20 0x4008d507 in __libc_start_main (main=0x8062100 main, argc=2,
ubp_av=0xbb04, init=0x804f718 _init,
fini=0x809a8f0 _fini,