PHP :: Bug #58047 :: infinite loop and/or mem. corruption after calling mailparse_msg_get_part

Bug #58047	infinite loop and/or mem. corruption after calling mailparse_msg_get_part_data
Submitted:	2008-02-20 02:54 UTC	Modified:	2008-03-03 13:38 UTC
From:	mpb dot mail at gmail dot com	Assigned:
Status:	Closed	Package:	mailparse (PECL)
PHP Version:	5.2.1	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mpb dot mail at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2008-02-20 02:54 UTC] mpb dot mail at gmail dot com

Description:
------------
I have a function similar to the following:

function part_data ($headers) {
  $msg = mailparse_msg_create ();
  mailparse_msg_parse ($msg, $headers);
  $part = mailparse_msg_get_part ($msg, '1');
  $part_data = mailparse_msg_get_part_data ($part);
  return $part_data; }

After calling this function (but not immediately after), PHP will infinite loop and/or the contents of $part_data will be corrupted.

I believe the reason for this is that $msg goes out of scope and gets garbage collected, which frees the $msg resource.  As part of freeing the $msg resource, I believe that the $part_data array (or perhaps one of the sub-arrays it contains) gets garbage collected prematurely.

The reason I believe this is that if I recursively copy $part_data, and then return the copy, everything works fine.  I therefore  suspect there is a reference counting bug inside of the mailparse extension.

The only reproduce code I have at present is part of a 900 line application.  I have not tried to create a small example that demonstrates the bug, but I might be able to do so if that would help you.

Thanks!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-03-02 21:51 UTC] alan at akbkhome dot com

The extra delref on this line causes segfault on multi-line header entries
php_mailparse_mime.c:456  ZVAL_DELREF(*zheaderval);
- removing this line appears to fix the problem.

[2008-03-03 13:38 UTC] shire@php.net

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Dec 30 14:01:28 2024 UTC