#20254 [Opn-Fbk]: imap_header() crash with bad Reply-To
ID: 20254
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Feedback
Bug Type: IMAP related
Operating System: Linux (2.4.18)
PHP Version: 4.3.0-dev
New Comment:
Please try using this CVS snapshot:
http://snaps.php.net/php4-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-latest.zip
Previous Comments:
[2002-12-02 13:51:15] [EMAIL PROTECTED]
hello.
similar problem, imap_header() crash, but with other condition - long
To: header
php 4.2.3 as CLI,libc-client: 4.7-c2
bug can be reproduced with message containing following header:
To: Someone [EMAIL PROTECTED],
Someone2 [EMAIL PROTECTED],
...
Someone144 email144@somehost
I didn't test actual threshold, it could be smaller then 144.
test script:
$imap=imap_open({localhost:143}INBOX,user,pass);
if (!$imap)
echo connect failed\n;
$header=imap_header($imap,1);
backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x3d0f86 in malloc () from /lib/libc.so.6
(gdb) bt
#0 0x3d0f86 in malloc () from /lib/libc.so.6
#1 0x3d0ca4 in malloc () from /lib/libc.so.6
#2 0x80c723c in _emalloc (size=12) at zend_alloc.c:165
#3 0x53e39e in _php_imap_parse_address (addresslist=0x817bfe0,
fulladdress=0xbd870ec8, paddress=0x818476c) at php_imap.c:3632
#4 0x53e62e in _php_make_header_object (myzvalue=0x8178c3c,
en=0x817ce58)
at php_imap.c:3666
#5 0x536dbd in zif_imap_headerinfo (ht=2, return_value=0x8178c3c,
this_ptr=0x0, return_value_used=1) at php_imap.c:1631
#6 0x497d99 in zend_assign_to_variable_reference ()
from /usr/local/Zend/lib/ZendOptimizer.so
#7 0x4a1144 in zend_oe () from /usr/local/Zend/lib/ZendOptimizer.so
#8 0x80d3fb8 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at zend.c:812
#9 0x805f81d in php_execute_script (primary_file=0xbd873388) at
main.c:1383
#10 0x805d6e3 in main (argc=2, argv=0xbd873404) at cgi_main.c:778
#11 0x37c0bf in __libc_start_main () from /lib/libc.so.6
[2002-11-14 22:39:24] [EMAIL PROTECTED]
I'm in another situation.
I configured php with uw-imap c-client, but
courier-imap server is running.
Stopping courier-imap server and, Test with uw-iamp server, there was
no crash.
Test with courier-imap server again, here backtrace report.
(gdb) bt
#0 0x403b480e in _zval_ptr_dtor (zval_ptr=0x0,
__zend_filename=0x4046de00
/usr/local/src/php4-200211030600/Zend/zend_variables.c,
__zend_lineno=167)
at /usr/local/src/php4-200211030600/Zend/zend_execute_API.c:291
#1 0x403be4d2 in _zval_ptr_dtor_wrapper (zval_ptr=0x0) at
/usr/local/src/php4-200211030600/Zend/zend_variables.c:167
#2 0x403c5a01 in zend_hash_destroy (ht=0x812eacc) at
/usr/local/src/php4-200211030600/Zend/zend_hash.c:543
#3 0x403be19a in _zval_dtor (zvalue=0x812ea8c,
__zend_filename=0x4046d6a0
/usr/local/src/php4-200211030600/Zend/zend_execute_API.c,
__zend_lineno=293)
at /usr/local/src/php4-200211030600/Zend/zend_variables.c:60
#4 0x403b4839 in _zval_ptr_dtor (zval_ptr=0x811c820,
__zend_filename=0x4046de00
/usr/local/src/php4-200211030600/Zend/zend_variables.c,
__zend_lineno=167)
at /usr/local/src/php4-200211030600/Zend/zend_execute_API.c:293
#5 0x403be4d2 in _zval_ptr_dtor_wrapper (zval_ptr=0x811c820) at
/usr/local/src/php4-200211030600/Zend/zend_variables.c:167
#6 0x403c5a01 in zend_hash_destroy (ht=0x404da80c) at
/usr/local/src/php4-200211030600/Zend/zend_hash.c:543
#7 0x403b433e in shutdown_executor () at
/usr/local/src/php4-200211030600/Zend/zend_execute_API.c:186
#8 0x403bf70f in zend_deactivate () at
/usr/local/src/php4-200211030600/Zend/zend.c:625
#9 0x40387bd3 in php_request_shutdown (dummy=0x0) at
/usr/local/src/php4-200211030600/main/main.c:913
#10 0x403d6dfa in apache_php_module_main (r=0x8114ad4,
display_source_mode=0)
at /usr/local/src/php4-200211030600/sapi/apache/sapi_apache.c:61
#11 0x403d7c48 in send_php (r=0x8114ad4, display_source_mode=0,
filename=0x8116614 /home/www/test.php)
at /usr/local/src/php4-200211030600/sapi/apache/mod_php4.c:556
#12 0x403d7cb5 in send_parsed_php (r=0x8114ad4) at
/usr/local/src/php4-200211030600/sapi/apache/mod_php4.c:571
#13 0x08054823 in ap_invoke_handler ()
#14 0x08069ca7 in process_request_internal ()
#15 0x08069d08 in ap_process_request ()
#16 0x08060a79 in child_main ()
#17 0x08060c48 in make_child ()
#18 0x08060dbc in startup_children ()
#19 0x08061434 in standalone_main ()
#20 0x08061cb3 in main ()
#21 0x400ad1c4 in __libc_start_main () from /lib/libc.so.6
(gdb)
[2002-11-13 12:41:38] [EMAIL PROTECTED]
Can you provide a backtrace using the latest CVS snapshot
and compiled with Apache 1.3 ?
#20254 [Opn-Fbk]: imap_header() crash with bad Reply-To
ID: 20254
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Feedback
Bug Type: IMAP related
Operating System: Linux (2.4.18)
PHP Version: 4.3.0-dev
New Comment:
So it works? Only crashes with Apache2 ?
Previous Comments:
[2002-11-08 00:08:24] [EMAIL PROTECTED]
CLI (command line) php test was all right.
apache2 configured with --prefix=/usr/local/apache2 --enable-so
[2002-11-07 18:53:37] [EMAIL PROTECTED]
Try this with the CLI (command line) php. Maybe another thread-safety
issue..? How did you configure apache2?
[2002-11-06 08:42:27] [EMAIL PROTECTED]
Your second bt shows that it's not an IMAP specific problem, which is
interesting that it manifests itself in IMAP only.
Can you reproduce this with non Apache2 as well (using the latest CVS
of course)? I know you probably hate me for asking this.
[2002-11-05 23:34:00] [EMAIL PROTECTED]
I deleted many html tags and php code.
Ctrl+F5(reload) gives good result or crash.
$ cat test.php
?php
$mailbox = imap_open({localhost:143}.INBOX.test,
[EMAIL PROTECTED], **);
$object = imap_fetchstructure($mailbox, 1);
$header = imap_header($mailbox, 1);
$from = $header-from[0]-personal;
if(!$from) $from = $header-$from[0]-mailbox;
$subject = htmlspecialchars(chop($header-Subject));
if(!$subject) $subject = Null !!;
$to = $header-to[0]-personal;
if(!$to) $to = $header-to[0]-mailbox;
echo(Subject: $subjectbr);
echo(Date : . $header-Date . br);
echo(From : $frombr);
echo(To : $tobr);
imap_close($mailbox);
?
[2002-11-05 14:29:25] [EMAIL PROTECTED]
The last error implies crash somewhere in the Apache 2 code. Does this
crash happen on any particular script, if so, could you please provide
the smallest possible version of such a script that can be used to
replicate the problem.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/20254
--
Edit this bug report at http://bugs.php.net/?id=20254edit=1
#20254 [Opn-Fbk]: imap_header() crash with bad Reply-To
ID: 20254
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Feedback
Bug Type: IMAP related
Operating System: Linux (2.4.18)
PHP Version: 4.2.3
New Comment:
Your second bt shows that it's not an IMAP specific problem, which is
interesting that it manifests itself in IMAP only.
Can you reproduce this with non Apache2 as well (using the latest CVS
of course)? I know you probably hate me for asking this.
Previous Comments:
[2002-11-05 23:34:00] [EMAIL PROTECTED]
I deleted many html tags and php code.
Ctrl+F5(reload) gives good result or crash.
$ cat test.php
?php
$mailbox = imap_open({localhost:143}.INBOX.test,
[EMAIL PROTECTED], **);
$object = imap_fetchstructure($mailbox, 1);
$header = imap_header($mailbox, 1);
$from = $header-from[0]-personal;
if(!$from) $from = $header-$from[0]-mailbox;
$subject = htmlspecialchars(chop($header-Subject));
if(!$subject) $subject = Null !!;
$to = $header-to[0]-personal;
if(!$to) $to = $header-to[0]-mailbox;
echo(Subject: $subjectbr);
echo(Date : . $header-Date . br);
echo(From : $frombr);
echo(To : $tobr);
imap_close($mailbox);
?
[2002-11-05 14:29:25] [EMAIL PROTECTED]
The last error implies crash somewhere in the Apache 2 code. Does this
crash happen on any particular script, if so, could you please provide
the smallest possible version of such a script that can be used to
replicate the problem.
[2002-11-05 09:43:28] [EMAIL PROTECTED]
I tried above cvs version.
It worked but apache logs said,
[Wed Nov 06 00:44:50 2002] [notice] child pid 15305 exit signal
Segmentation fault (11)
[Wed Nov 06 00:44:55 2002] [notice] child pid 15371 exit signal
Segmentation fault (11)
[Wed Nov 06 00:44:58 2002] [notice] child pid 15401 exit signal
Segmentation fault (11)
and the back-trace here.
(gdb) bt
#0 0x402debd3 in chunk_alloc () from /lib/libc.so.6
#1 0x402de9d0 in malloc () from /lib/libc.so.6
#2 0x4052b06f in _emalloc (size=256, __zend_filename=0x405e8740
/usr/local/src/php4-200211030600/Zend/zend_stack.c,
__zend_lineno=27, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /usr/local/src/php4-200211030600/Zend/zend_alloc.c:154
#3 0x4053d0de in zend_stack_init (stack=0x40654380) at
/usr/local/src/php4-200211030600/Zend/zend_stack.c:27
#4 0x4052c3d6 in zend_init_compiler_data_structures () at
/usr/local/src/php4-200211030600/Zend/zend_compile.c:73
#5 0x4052c4f0 in init_compiler () at
/usr/local/src/php4-200211030600/Zend/zend_compile.c:100
#6 0x4053e998 in zend_activate () at
/usr/local/src/php4-200211030600/Zend/zend.c:594
#7 0x40506bba in php_request_startup () at
/usr/local/src/php4-200211030600/main/main.c:833
#8 0x40556c1a in php_apache_request_ctor (f=0x81dcb68, ctx=0x81df000)
at
/usr/local/src/php4-200211030600/sapi/apache2filter/sapi_apache2.c:375
#9 0x40556e67 in php_output_filter (f=0x81dcb68, bb=0x81dce60)
at
/usr/local/src/php4-200211030600/sapi/apache2filter/sapi_apache2.c:449
#10 0x080ac5a7 in ap_pass_brigade (next=0x81dcb68, bb=0x81dcc98) at
util_filter.c:540
#11 0x080b2868 in default_handler (r=0x81dd9c8) at core.c:3317
#12 0x080a1bd6 in ap_run_handler (r=0x81dd9c8) at config.c:194
#13 0x080a20f1 in ap_invoke_handler (r=0x81dd9c8) at config.c:401
#14 0x08084e93 in ap_process_request (r=0x81dd9c8) at
http_request.c:288
#15 0x080810b8 in ap_process_http_connection (c=0x81d3578) at
http_core.c:293
#16 0x080aa6b6 in ap_run_process_connection (c=0x81d3578) at
connection.c:85
#17 0x080a0889 in child_main (child_num_arg=0) at prefork.c:696
#18 0x080a093c in make_child (s=0x812b950, slot=0) at prefork.c:736
#19 0x080a0a26 in startup_children (number_to_start=5) at
prefork.c:808
#20 0x080a0d28 in ap_mpm_run (_pconf=0x80e8690, plog=0x8126788,
s=0x812b950) at prefork.c:1024
#21 0x080a5dab in main (argc=2, argv=0xba44) at main.c:643
#22 0x402821c4 in __libc_start_main () from /lib/libc.so.6
[2002-11-05 07:18:10] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php4-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-latest.zip
[2002-11-05 03:54:59] [EMAIL PROTECTED]
Here gdb backtrace.
(gdb) run -X
Starting program: /usr/local/apache2/bin/httpd -X
[New Thread 1024 (LWP 21817)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 21817)]
0x402df6dc in chunk_free () from /lib/libc.so.6
(gdb) bt
#0 0x402df6dc in chunk_free () from /lib/libc.so.6
#1
#20254 [Opn-Fbk]: imap_header() crash with bad Reply-To
ID: 20254 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Feedback Bug Type: IMAP related Operating System: Linux (2.4.18) PHP Version: 4.2.3 New Comment: Please try using this CVS snapshot: http://snaps.php.net/php4-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-latest.zip Previous Comments: [2002-11-05 03:54:59] [EMAIL PROTECTED] Here gdb backtrace. (gdb) run -X Starting program: /usr/local/apache2/bin/httpd -X [New Thread 1024 (LWP 21817)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 21817)] 0x402df6dc in chunk_free () from /lib/libc.so.6 (gdb) bt #0 0x402df6dc in chunk_free () from /lib/libc.so.6 #1 0x402df548 in free () from /lib/libc.so.6 #2 0x404583a7 in _php_make_header_object (myzvalue=0x823b188, en=0x82444a8, tsrm_ls=0x8186838) at php_imap.c:3724 #3 0x4044d232 in zif_imap_headerinfo (ht=2, return_value=0x823b188, this_ptr=0x0, return_value_used=1, tsrm_ls=0x8186838) at php_imap.c:1631 #4 0x403fd5f0 in execute (op_array=0x81e1d08, tsrm_ls=0x8186838) at ./zend_execute.c:1598 #5 0x404100ed in zend_execute_scripts (type=8, tsrm_ls=0x8186838, retval=0x0, file_count=3) at zend.c:812 #6 0x404236fd in php_execute_script (primary_file=0xb730, tsrm_ls=0x8186838) at main.c:1383 #7 0x4041e959 in php_output_filter (f=0x81d9980, bb=0x81d9ef0) at sapi_apache2.c:409 #8 0x080ac5a7 in ap_pass_brigade (next=0x81d9980, bb=0x81d9ab0) at util_filter.c:540 #9 0x080b2868 in default_handler (r=0x81ce7b0) at core.c:3317 #10 0x080a1bd6 in ap_run_handler (r=0x81ce7b0) at config.c:194 #11 0x080a20f1 in ap_invoke_handler (r=0x81ce7b0) at config.c:401 #12 0x08084e93 in ap_process_request (r=0x81ce7b0) at http_request.c:288 #13 0x080810b8 in ap_process_http_connection (c=0x81ca3b0) at http_core.c:293 #14 0x080aa6b6 in ap_run_process_connection (c=0x81ca3b0) at connection.c:85 #15 0x080a0889 in child_main (child_num_arg=0) at prefork.c:696 #16 0x080a093c in make_child (s=0x812b950, slot=0) at prefork.c:736 #17 0x080a0a26 in startup_children (number_to_start=5) at prefork.c:808 #18 0x080a0d28 in ap_mpm_run (_pconf=0x80e8690, plog=0x8126788, s=0x812b950) at prefork.c:1024 #19 0x080a5dab in main (argc=2, argv=0xba44) at main.c:643 #20 0x402821c4 in __libc_start_main () from /lib/libc.so.6 (gdb) [2002-11-05 01:52:28] [EMAIL PROTECTED] imap_header() quietly crashes. This sample message have bad Reply-To header. machine A) php : 4.2.3 c-client : imap-2001a apache : 1.3.26 machine B) php : 4.2.3 c-client : imap-2002.RC10 apache : 2.0.42 above two machine got same result. -- Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 2862 invoked by uid 0); 5 Nov 2002 16:36:11 +0900 Date: 5 Nov 2002 16:36:11 +0900 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: Subject: This is Subject This is body. -- -- Edit this bug report at http://bugs.php.net/?id=20254edit=1
#20254 [Opn-Fbk]: imap_header() crash with bad Reply-To
ID: 20254 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Feedback Bug Type: IMAP related Operating System: Linux (2.4.18) PHP Version: 4.2.3 New Comment: The last error implies crash somewhere in the Apache 2 code. Does this crash happen on any particular script, if so, could you please provide the smallest possible version of such a script that can be used to replicate the problem. Previous Comments: [2002-11-05 09:43:28] [EMAIL PROTECTED] I tried above cvs version. It worked but apache logs said, [Wed Nov 06 00:44:50 2002] [notice] child pid 15305 exit signal Segmentation fault (11) [Wed Nov 06 00:44:55 2002] [notice] child pid 15371 exit signal Segmentation fault (11) [Wed Nov 06 00:44:58 2002] [notice] child pid 15401 exit signal Segmentation fault (11) and the back-trace here. (gdb) bt #0 0x402debd3 in chunk_alloc () from /lib/libc.so.6 #1 0x402de9d0 in malloc () from /lib/libc.so.6 #2 0x4052b06f in _emalloc (size=256, __zend_filename=0x405e8740 /usr/local/src/php4-200211030600/Zend/zend_stack.c, __zend_lineno=27, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/local/src/php4-200211030600/Zend/zend_alloc.c:154 #3 0x4053d0de in zend_stack_init (stack=0x40654380) at /usr/local/src/php4-200211030600/Zend/zend_stack.c:27 #4 0x4052c3d6 in zend_init_compiler_data_structures () at /usr/local/src/php4-200211030600/Zend/zend_compile.c:73 #5 0x4052c4f0 in init_compiler () at /usr/local/src/php4-200211030600/Zend/zend_compile.c:100 #6 0x4053e998 in zend_activate () at /usr/local/src/php4-200211030600/Zend/zend.c:594 #7 0x40506bba in php_request_startup () at /usr/local/src/php4-200211030600/main/main.c:833 #8 0x40556c1a in php_apache_request_ctor (f=0x81dcb68, ctx=0x81df000) at /usr/local/src/php4-200211030600/sapi/apache2filter/sapi_apache2.c:375 #9 0x40556e67 in php_output_filter (f=0x81dcb68, bb=0x81dce60) at /usr/local/src/php4-200211030600/sapi/apache2filter/sapi_apache2.c:449 #10 0x080ac5a7 in ap_pass_brigade (next=0x81dcb68, bb=0x81dcc98) at util_filter.c:540 #11 0x080b2868 in default_handler (r=0x81dd9c8) at core.c:3317 #12 0x080a1bd6 in ap_run_handler (r=0x81dd9c8) at config.c:194 #13 0x080a20f1 in ap_invoke_handler (r=0x81dd9c8) at config.c:401 #14 0x08084e93 in ap_process_request (r=0x81dd9c8) at http_request.c:288 #15 0x080810b8 in ap_process_http_connection (c=0x81d3578) at http_core.c:293 #16 0x080aa6b6 in ap_run_process_connection (c=0x81d3578) at connection.c:85 #17 0x080a0889 in child_main (child_num_arg=0) at prefork.c:696 #18 0x080a093c in make_child (s=0x812b950, slot=0) at prefork.c:736 #19 0x080a0a26 in startup_children (number_to_start=5) at prefork.c:808 #20 0x080a0d28 in ap_mpm_run (_pconf=0x80e8690, plog=0x8126788, s=0x812b950) at prefork.c:1024 #21 0x080a5dab in main (argc=2, argv=0xba44) at main.c:643 #22 0x402821c4 in __libc_start_main () from /lib/libc.so.6 [2002-11-05 07:18:10] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-latest.zip [2002-11-05 03:54:59] [EMAIL PROTECTED] Here gdb backtrace. (gdb) run -X Starting program: /usr/local/apache2/bin/httpd -X [New Thread 1024 (LWP 21817)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 21817)] 0x402df6dc in chunk_free () from /lib/libc.so.6 (gdb) bt #0 0x402df6dc in chunk_free () from /lib/libc.so.6 #1 0x402df548 in free () from /lib/libc.so.6 #2 0x404583a7 in _php_make_header_object (myzvalue=0x823b188, en=0x82444a8, tsrm_ls=0x8186838) at php_imap.c:3724 #3 0x4044d232 in zif_imap_headerinfo (ht=2, return_value=0x823b188, this_ptr=0x0, return_value_used=1, tsrm_ls=0x8186838) at php_imap.c:1631 #4 0x403fd5f0 in execute (op_array=0x81e1d08, tsrm_ls=0x8186838) at ./zend_execute.c:1598 #5 0x404100ed in zend_execute_scripts (type=8, tsrm_ls=0x8186838, retval=0x0, file_count=3) at zend.c:812 #6 0x404236fd in php_execute_script (primary_file=0xb730, tsrm_ls=0x8186838) at main.c:1383 #7 0x4041e959 in php_output_filter (f=0x81d9980, bb=0x81d9ef0) at sapi_apache2.c:409 #8 0x080ac5a7 in ap_pass_brigade (next=0x81d9980, bb=0x81d9ab0) at util_filter.c:540 #9 0x080b2868 in default_handler (r=0x81ce7b0) at core.c:3317 #10 0x080a1bd6 in ap_run_handler (r=0x81ce7b0) at config.c:194 #11 0x080a20f1 in ap_invoke_handler (r=0x81ce7b0) at config.c:401 #12 0x08084e93 in ap_process_request (r=0x81ce7b0) at http_request.c:288 #13 0x080810b8 in ap_process_http_connection (c=0x81ca3b0) at http_core.c:293 #14 0x080aa6b6 in ap_run_process_connection (c=0x81ca3b0) at
