ID: 32158 Updated by: php-bugs@lists.php.net Reported By: matti dot aarnio at kv9 dot net -Status: Feedback +Status: No Feedback Bug Type: IMAP related Operating System: Solaris 8 PHP Version: 5.0.3 New Comment:
No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". Previous Comments: ------------------------------------------------------------------------ [2005-03-04 16:39:59] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php5.0-win32-latest.zip ------------------------------------------------------------------------ [2005-03-02 00:51:49] matti dot aarnio at kv9 dot net Description: ------------ We have php-4.3.10 and php-5.0.3 crashing in identical manner. That isn't surprising given that relevant code inside PHPs is identical. C-Client -library is from UW-IMAP 2004c1, and oldish IMP script is asking for headers of following message: (addresses obfuscated, but structure left intact) >From [EMAIL PROTECTED] Tue Oct 12 17:18:14 2004 Received: from mx4.uuu.fi ([193.167.224.118]:48474 "EHLO mx4.uuu.fi" TLS-CIPHER: <none>) by mail.dnainternet.net with ESMTP id S199057AbUJLOSO (ORCPT <rfc822;[EMAIL PROTECTED]>); Tue, 12 Oct 2004 17:18:14 +0300 Received: from localhost (localhost.localdomain [127.0.0.1]) by mx4.uuu.fi (8.12.10/8.12.10) with ESMTP id i9CEIC9I018154 for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 17:18:12 +0300 From: "Oooo Nnnnnnnn" <[EMAIL PROTECTED]> To: "[EMAIL PROTECTED]" =?ISO-8859-1?Q?=20<mmmmmmm.ppppp=E4in?= [EMAIL PROTECTED]>?= Date: Tue, 12 Oct 2004 17:18:08 +0300 MIME-Version: 1.0 Subject: =?ISO-8859-1?Q?kfjsdkfjksdjfksdjfk_dsfsdfds=E4sfsdfsdf_28.10._sfsdfdsfsdf=E4 _sdfsdfsd_sdfsdf_sdfsdfs?= CC: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Content-description: Mail message body A debug session gave functional libphp, when I preallocated excessively large string spaces in the php_imap.c::_php_imap_parse_address() function. Throwing in an extra kilobyte safety buffer for malloc()s just in case does not match my idea of sensible code, however. (Nor does it feel _safe_.) Used C-Client API is an abomination in itself, its caller must have sufficient buffer space, but there is no way to ask it to tell of how much must be allocated, and while PHP tries do figure that out, under some conditions with abnormal input it fails miserably, and the rfc822_write_address() will scribble over the end of malloc()ed buffer space, along with all merryment that such things cause... The least harm that happens is heap corruption, and Apache/PHP instance crashing. Can it lead to execution of arbitrary code in apache, that I won't speculate about. Reproduce code: --------------- Oldish IMP installation calling imap_headerinfo(). Any PHP-webmail setup should do with IMAP access to message store. Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. 0xff1c158c in _malloc_unlocked () from /usr/lib/libc.so.1 (gdb) where #0 0xff1c158c in _malloc_unlocked () from /usr/lib/libc.so.1 #1 0xff1c1414 in malloc () from /usr/lib/libc.so.1 #2 0xfefdc060 in _emalloc (size=44) at /home/mea/src/php-4.3.10/Zend/zend_alloc.c:164 #3 0xfeff140c in zend_hash_add_or_update (ht=0x4d8458, arKey=0xff0af130 "personal", nKeyLength=9, pData=0xffbe3d1c, nDataSize=4, pDest=0x0, flag=1) at /home/mea/src/php-4.3.10/Zend/zend_hash.c:275 #4 0xfefefd74 in add_property_string_ex (arg=0x4cf8d0, key=0xff0af130 "personal", key_len=9, str=0x4bacf0 "[EMAIL PROTECTED] =?ISO-8859-1?Q?=20", duplicate=1) at /home/mea/src/php-4.3.10/Zend/zend_API.c:980 #5 0xfef1105c in _php_imap_parse_address (addresslist=0xffbe3d94, fulladdress=0x290, paddress=0x4cf8f8) at /home/mea/src/php-4.3.10/ext/imap/php_imap.c:3701 #6 0xfef112f4 in _php_make_header_object (myzvalue=0x4d02a0, en=0x4bac90) at /home/mea/src/php-4.3.10/ext/imap/php_imap.c:3733 #7 0xfef07f78 in zif_imap_headerinfo (ht=4957520, return_value=0x4d02a0, this_ptr=0x0, return_value_used=1) at /home/mea/src/php-4.3.10/ext/imap/php_imap.c:1506 #8 0xfefffba8 in execute (op_array=0x373880) at /home/mea/src/php-4.3.10/Zend/zend_execute.c:1642 #9 0xfefed900 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/mea/src/php-4.3.10/Zend/zend.c:900 #10 0xfefbeb98 in php_execute_script (primary_file=0xffbef620) at /home/mea/src/php-4.3.10/main/main.c:1736 #11 0xff0061f4 in apache_php_module_main (r=0x1cc7b8, display_source_mode=0) at /home/mea/src/php-4.3.10/sapi/apache/sapi_apache.c:54 #12 0xff00726c in send_php (r=0x1cc7b8, display_source_mode=0, filename=0x0) at /home/mea/src/php-4.3.10/sapi/apache/mod_php4.c:621 #13 0xff007310 in send_parsed_php (r=0x1cc7b8) at /home/mea/src/php-4.3.10/sapi/apache/mod_php4.c:636 #14 0x843c0 in ap_invoke_handler () #15 0xa26dc in process_request_internal () ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32158&edit=1