PHP :: Sec Bug #77020 :: null pointer dereference in imap

Sec Bug #77020	null pointer dereference in imap_mail
Submitted:	2018-10-16 08:36 UTC	Modified:	2018-12-10 03:07 UTC
From:	zhangweiye at topsec dot com dot cn	Assigned:	stas (profile)
Status:	Closed	Package:	IMAP related
PHP Version:	7.2.11	OS:	ubuntu
Private report:	No	CVE-ID:	2018-19935

View Developer Edit

[2018-10-16 08:36 UTC] zhangweiye at topsec dot com dot cn

Description:
------------
in imap_mail if message args is null, in _php_imap_mail no check wheater message  can get, so crash.

```
     fprintf(sendmail, "\n%s\n", message);

```



/usr/local/php/bin/php ./craxxx.php 

Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3
sh: 1: -t: not found
Segmentation fault (core dumped)







../sapi/cli/php ./craxxx.php 

Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3
ASAN:SIGSEGV
=================================================================
==23766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7fae925d9cc0 bp 0x7ffcb6b27a10 sp 0x7ffcb6b274a0 T0)
sh: 1: -t: not found
    #0 0x7fae925d9cbf in vfprintf (/lib/x86_64-linux-gnu/libc.so.6+0x4ecbf)
    #1 0x7fae926a1bc8 in __fprintf_chk (/lib/x86_64-linux-gnu/libc.so.6+0x116bc8)
    #2 0xa5aeb0 in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:97
    #3 0xa5aeb0 in _php_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4065
    #4 0xa5b22d in zif_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4112
    #5 0x17da703 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:573
    #6 0x17da703 in execute_ex /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:59747
    #7 0x181b5c3 in zend_execute /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:63776
    #8 0x1356ef2 in zend_execute_scripts /home/fan/Desktop/php-7.2.10/Zend/zend.c:1496
    #9 0x11c0776 in php_execute_script /home/fan/Desktop/php-7.2.10/main/main.c:2590
    #10 0x1823488 in do_cli /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1011
    #11 0x18256f4 in main /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1404
    #12 0x7fae925ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x440888 in _start (/home/fan/github/php-7.2.10/sapi/cli/php+0x440888)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 vfprintf
==23766==ABORTING




Test script:
---------------
<?php
	imap_mail('1', 1, NULL);

?>

Patches

CVE-2018-19935 (last revision 2021-04-07 01:04 UTC by 2432857142 at qq dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-10-16 14:52 UTC] cmb@php.net

-Summary: a null pointer defference in imap_mail +Summary: null pointer dereference in imap_mail -Status: Open +Status: Analyzed -Package: *Mail Related +Package: IMAP related -Assigned To: +Assigned To: stas

[2018-10-16 14:52 UTC] cmb@php.net

Thanks for reporting this issue!  I can confirm the bug (it also
happens if the $message parameter is an empty string).  I suggest
to apply
<https://gist.github.com/cmb69/55b9015ca6416ee027755dc868d66137>.

Stas, can you please commit to the sec repo?

[2018-10-18 08:58 UTC] 790358237 at qq dot com

Thanks for your reply. I am very happy to do this.

[2018-11-11 18:05 UTC] stas@php.net

Fix makes sense, we can merge it in the next release cycle.

[2018-11-11 18:09 UTC] stas@php.net

Added to security repo as 8b1049a7ae96ae9b0315cfe6742e5fb010ffb5d3 (for 5.6, higher versions will be merged up).

[2018-11-21 05:42 UTC] 790358237 at qq dot com

will this get a cve?

[2018-12-03 08:43 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7edc639b9ff1c3576773d79d016abbeed1f93846
Log: Fix #77020: null pointer dereference in imap_mail

[2018-12-03 08:43 UTC] stas@php.net

-Status: Analyzed +Status: Closed

[2018-12-03 14:01 UTC] cmb@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=648fc1e369fc05fb9200a42c7938912236b2a318
Log: Fix #77020: null pointer dereference in imap_mail

[2018-12-07 08:13 UTC] 790358237 at qq dot com

this assign CVE-2018-19935.

[2018-12-07 13:31 UTC] remi@php.net

-CVE-ID: +CVE-ID: 2018-19935

[2018-12-07 15:32 UTC] remi@php.net

Notice: This issue is fixed in 5.6.39, 7.0.33 and 7.3.0
The fix is missing in 7.1.25 and 7.2.13, will be part of 7.1.26 and 7.2.14

[2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn

-: 790358237 at qq dot com +: zhangweiye at topsec dot com dot cn

[2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn

credit:zhangweiye@topsec.com.cn

[2018-12-10 03:07 UTC] zhangweiye at topsec dot com dot cn

credit topsec(zhangweiye)

[2021-04-07 01:04 UTC] 2432857142 at qq dot com

The following patch has been added/updated:

Patch Name: CVE-2018-19935
Revision:   1617757483
URL:        https://bugs.php.net/patch-display.php?bug=77020&patch=CVE-2018-19935&revision=1617757483

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 09:00:01 2025 UTC