Description:
------------
The crash in this case is due to lack of a sanity check on "fromlength" argument passed to imap_headerinfo().

In the php_imap.c code we have:

PHP_FUNCTION(imap_headerinfo)
{
	zval **streamind, **msgno, **fromlength, **subjectlength, **defaulthost;
	pils *imap_le_struct;
	MESSAGECACHE *cache;
	ENVELOPE *en;
	char dummy[2000], fulladdress[MAILTMPLEN];


were MAILTMPLEN is defined in mail.h as 1024. So stack space is allocated for  a buffer of 1024 bytes  to receive the "from" details which is retrieved by the following code:

mail_fetchfrom(fulladdress, imap_le_struct->imap_stream, Z_LVAL_PP(msgno), Z_LVAL_PP(fromlength));

mail_fetchfrom uses the "fromlength"  supplied on the imap_headerinfo() call to clear out part of the "fulladdress" buffer to spaces before copying the "from" string into it.
If the specified fromlength is greater than 1024 bytes (MAILTMPLEN) then storage over-writes will occur and data corruption or crashes will result.

The php_imap.c code needs to be changed to add a simple sanity check on the input argument. Something along the following lines. 

if (myargc >= 3) {
        convert_to_long_ex(fromlength);
        if (Z_LVAL_PP(fromlength) < 0 ) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length has to be greater than or equal to 0");
                RETURN_FALSE;
        }

        ---- start of new code -------
         if (Z_LVAL_PP(fromlength) > MAILTMPLEN ) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length must be less than or equal to %i bytes", MAILTMPLEN);
                RETURN_FALSE;
        }	
        ---- end of new code -----	
} else {
        fromlength = 0x00;
}

A similar check is also needed for "subjectlength" argument.


Reproduce code:
---------------
<?php
var_dump(imap_headerinfo($imap_stream, $msg_no, 12345, 12345));
?>

Expected result:
----------------
Warning: imap_headerinfo(): From length must be less than or equal to %d bytes
bool(false)

Actual result:
--------------
PHP crash