php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77821 Potential heap corruption in TSendMail()
Submitted: 2019-03-29 10:09 UTC Modified: 2019-04-30 05:08 UTC
From: cmb@php.net Assigned: ab (profile)
Status: Closed Package: *Mail Related
PHP Version: 7.1 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
 [2019-03-29 10:09 UTC] cmb@php.net 
Description:
------------
Running ext/standard/tests/mail/mail_basic_alt2-win32.phpt
sometimes yields Critical error detected c0000374, which indicates
a heap corruption.

Test script:
---------------
ext/standard/tests/mail/mail_basic_alt2-win32.phpt

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-29 10:19 UTC] cmb@php.net
-Assigned To: +Assigned To: ab
 [2019-03-29 10:19 UTC] cmb@php.net 
Suggested fix for PHP 7.2:
<https://gist.github.com/cmb69/05d64c433700c59384fd759b629e7762>.

For PHP 7.3 and up the situation is slightly different, since code
has been added to release one of the strings right away if
`zend_string_tolower()` returns a copy[1].  It seems to me that
this code should be removed (since it relies on internals of the
API), and the 7.2 fix be applied.

[1] <https://github.com/php/php-src/blob/php-7.3.4RC1/win32/sendmail.c#L211-L213>
 [2019-03-31 06:52 UTC] stas@php.net 
Is this but not present in 7.1?
 [2019-03-31 10:46 UTC] ab@php.net 
What is the backtrace?

Thanks.
 [2019-03-31 10:55 UTC] cmb@php.net
-PHP Version: 7.2Git-2019-03-29 (Git) +PHP Version: 7.1
 [2019-03-31 10:55 UTC] cmb@php.net 
Thanks, Stas!  Indeed, PHP-7.1 is affected as well, and the
suggested patch[1] has to be applied there, too.

Backtrace is:

ntdll.dll!00007ffb6e35aed2() (Unknown Source:0)
ntdll.dll!00007ffb6e36379e() (Unknown Source:0)
ntdll.dll!00007ffb6e363aaa() (Unknown Source:0)
ntdll.dll!00007ffb6e2febc1() (Unknown Source:0)
ntdll.dll!00007ffb6e30cd22() (Unknown Source:0)
ucrtbase.dll!00007ffb6a6ec7eb() (Unknown Source:0)
[Inline Frame] php7.dll!zend_string_free(_zend_string *) Line 264 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_string.h:264)
php7.dll!TSendMail(char * host, int * error, char * * error_message, char * headers, char * Subject, char * mailTo, char * data, char * mailCc, char * mailBcc, char * mailRPath) Line 312 (d:\php-sdk\phpdev\vc14\x64\php-src\win32\sendmail.c:312)
php7.dll!php_mail(char * to, char * subject, char * message, char * headers, char * extra_cmd) Line 342 (d:\php-sdk\phpdev\vc14\x64\php-src\ext\standard\mail.c:342)
php7.dll!zif_mail(_zend_execute_data * execute_data, _zval_struct * return_value) Line 174 (d:\php-sdk\phpdev\vc14\x64\php-src\ext\standard\mail.c:174)
php7.dll!ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER(_zend_execute_data * execute_data) Line 685 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:685)
php7.dll!execute_ex(_zend_execute_data * ex) Line 432 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:432)
php7.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 475 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:475)
php7.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1483 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend.c:1483)
php7.dll!php_execute_script(_zend_file_handle * primary_file) Line 2577 (d:\php-sdk\phpdev\vc14\x64\php-src\main\main.c:2577)
php.exe!do_cli(int argc, char * * argv) Line 994 (d:\php-sdk\phpdev\vc14\x64\php-src\sapi\cli\php_cli.c:994)
php.exe!main(int argc, char * * argv) Line 1381 (d:\php-sdk\phpdev\vc14\x64\php-src\sapi\cli\php_cli.c:1381)
[Inline Frame] php.exe!invoke_main() Line 64 (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:64)
php.exe!__scrt_common_main_seh() Line 253 (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253)
kernel32.dll!00007ffb6e1881f4() (Unknown Source:0)

[1] <https://gist.github.com/cmb69/05d64c433700c59384fd759b629e7762>
 [2019-03-31 12:05 UTC] ab@php.net 
Thanks for the BT. The patch looks correct. I've no environment to test it right now, as it fixes for Christoph should be fine to include. Christoph, please add a test, if possible.

Thanks.
 [2019-03-31 12:10 UTC] cmb@php.net 
> Christoph, please add a test, if possible.

There is already mail_basic_alt2-win32.phpt wich is failing (at least sometimes) because of the bug.
 [2019-04-30 05:10 UTC] stas@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6c631ccfef94f93259d474682f8bfa803e163c87
Log: Fix #77821: Potential heap corruption in TSendMail()
 [2019-04-30 05:10 UTC] stas@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 09:01:32 2024 UTC