php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64467 Segmentation fault after imap_reopen failure
Submitted: 2013-03-20 16:30 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: askalski at gmail dot com Assigned:
Status: Closed Package: IMAP related
PHP Version: master-Git-2013-03-20 (Git) OS: Ubuntu 12.04 LTS
Private report: No CVE-ID: None
 [2013-03-20 16:30 UTC] askalski at gmail dot com
Description:
------------
Versions: 5.2, 5.3, 5.4, also confirmed on latest git master (78acb84b6e8fc07974283ce30c24596444d18cf7)

PHP will crash with a Segmentation Fault after imap_reopen() fails with the error message "imap_reopen(): Couldn't re-open stream ..."

When the UW-IMAP function 'mail_open' returns NIL after having been passed a valid MAILSTREAM pointer, this means UW-IMAP closed and freed the MAILSTREAM.  However, PHP ignores this and returns FALSE without zeroing out imap_le_struct->imap_stream and calling zend_list_delete on the resource.

Because the resource was not freed, mail_close_it (the resource destructor) gets called on an invalid pointer during request shutdown.  If you're lucky, this crashes PHP with a Segmentation Fault.  (If you're unlucky, you've got a corrupt PHP interpreter handling new requests...)


Test script:
---------------
<?php

/* This should succeed */
$imap = imap_open("INBOX", "", "");

echo "imap_open returned: ";
var_dump($imap);

/* This should fail */
$reopen = imap_reopen($imap, "{this*connection*will*fail}");

echo "imap_reopen returned: ";
var_dump($reopen);
flush();

/* Brace yourself for a segfault. UW-IMAP freed the MAILSTREAM structure,
 * but PHP did not null out the pointer or free the resource.  When the
 * script exits, it will call the resource destructor (mail_close_it)
 * on a pointer that was already freed.
 */

?>


Expected result:
----------------
No crash.

Actual result:
--------------
$ /tmp/z/bin/php -v
PHP 5.6.0-dev (cli) (built: Mar 20 2013 12:13:31) 
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.6.0-dev, Copyright (c) 1998-2013 Zend Technologies


$ /tmp/z/bin/php imap-crash.php 
imap_open returned: resource(4) of type (imap)

Warning: imap_reopen(): Couldn't re-open stream in /tmp/imap-crash.php on line 10
imap_reopen returned: bool(false)
Segmentation fault (core dumped)


Patches

imap_reopen_crash.patch (last revision 2013-03-20 21:41 UTC by askalski at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-26 22:15 UTC] felipe@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=60dcc5851f0dd7cf387270d6ba243f9ac46bc396
Log: - Fixed bug #64467 (Segmentation fault after imap_reopen failure) patch by: askalski at gmail dot com
 [2013-06-26 22:15 UTC] felipe@php.net
-Status: Open +Status: Closed
 [2014-10-07 23:18 UTC] stas@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=60dcc5851f0dd7cf387270d6ba243f9ac46bc396
Log: - Fixed bug #64467 (Segmentation fault after imap_reopen failure) patch by: askalski at gmail dot com
 [2014-10-07 23:29 UTC] stas@php.net
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=60dcc5851f0dd7cf387270d6ba243f9ac46bc396
Log: - Fixed bug #64467 (Segmentation fault after imap_reopen failure) patch by: askalski at gmail dot com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC