php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22638 Using Horde/IMP to read an email causes a crash
Submitted: 2003-03-11 13:49 UTC Modified: 2003-03-31 02:16 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: dsilvers at pepperfish dot net Assigned:
Status: Not a bug Package: IMAP related
PHP Version: 4.3.2RC OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dsilvers at pepperfish dot net
New email:
PHP Version: OS:

 

 [2003-03-11 13:49 UTC] dsilvers at pepperfish dot net
When attempting to view an email from British Airways, Horde/IMP would cause a reliably reproducable segmentation fault in the zend hash implementation.

I have worked the minimum-tripping example to:

---CUT
From user@otherdomain.com Mon Mar 10 17:23:48 2003
From: <user@otherdomain.com>
To: <user@domain.example>
CC: <>
Reply-To: <user@domain.com>
Subject: Crashy email

This email crashes IMP
---CUT

The guys at horde.org say it's a PHP problem and that I should ask you guys to solve it.

If you could, I'd be very very grateful -- I have several customers whose email is very affected by this bug.

It appears that the bug is provoked by the adding of the odd CC header into the hash table of headers maintained by the IMAP code.

Here is a GDB backtrace of it happening in 4.3.1 release:

Program received signal SIGSEGV, Segmentation fault.
0x402d2998 in malloc () from /lib/libc.so.6
(gdb) bt
#0  0x402d2998 in malloc () from /lib/libc.so.6
#1  0x402d2074 in malloc () from /lib/libc.so.6
#2  0x0811d53c in _emalloc (size=53)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_alloc.c:154
#3  0x0812d126 in zend_hash_add_or_update (ht=0x833a004, 
    arKey=0x8159ee6 "mon_thousands_sep", nKeyLength=18, pData=0xbfff2118, 
    nDataSize=4, pDest=0x0, flag=1)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_hash.c:262
#4  0x0812b61c in add_assoc_string_ex (arg=0x828d864, 
    key=0x8159ee6 "mon_thousands_sep", key_len=18, str=0x404a30c9 ",", 
    duplicate=1) at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_API.c:673
#5  0x080d953d in zif_localeconv (ht=0, return_value=0x828d864, this_ptr=0x0, 
    return_value_used=1)
    at /home/dsilvers/new-webmail/php-4.3.1/ext/standard/string.c:3766
#6  0x0813982a in execute (op_array=0x836253c)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1598
#7  0x08139984 in execute (op_array=0x83639a4)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1640
#8  0x08139984 in execute (op_array=0x8362a2c)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1640
#9  0x08139984 in execute (op_array=0x824dcbc)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1640
#10 0x0812a598 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend.c:864
#11 0x081087ef in php_execute_script (primary_file=0xbffffe48)
    at /home/dsilvers/new-webmail/php-4.3.1/main/main.c:1573
#12 0x08144a43 in main (argc=1, argv=0xbffffec4)
    at /home/dsilvers/new-webmail/php-4.3.1/sapi/cgi/cgi_main.c:1424
(gdb) quit

Here's my configure line:

./configure  --enable-fastcgi --with-pgsql --disable-ipv6 --with-imap --with-gettext --with-xml --with-mcrypt --prefix=/usr/local/webmail/php --with-imap-ssl  --with-zlib --disable-safe-mode

Here's info about the system:

Linux salmon 2.4.18 #1 Thu Mar 14 19:06:39 GMT 2002 i686 unknown
 
It's a duron 600 based system with plenty of free ram and swap.

It is running Debian GNU/Linux 3.0r1 (Woody) with security patches

PHP is compiled up from source.

If there's any other information you need, just yell.

D.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-11 20:44 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip


And what part of IMP causes the crash?
Reading it from the imap server?
Processing the mail?


 [2003-03-18 13:35 UTC] dsilvers at pepperfish dot net
Right. With the snapshot:

php4-STABLE-200303181830

I get exactly the same outward behaviour (I.E. PHP dies when I read a message with a 'CC: <>' header in it.

This is the gdb:

Program received signal SIGSEGV, Segmentation fault.
0x402d29d1 in malloc () from /lib/libc.so.6
(gdb) bt
#0  0x402d29d1 in malloc () from /lib/libc.so.6
#1  0x402d2074 in malloc () from /lib/libc.so.6
#2  0x0811debc in _emalloc (size=12)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend_alloc.c:158
#3  0x0813a1dd in execute (op_array=0x8334174)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend_execute.c:1601
#4  0x0813a3b4 in execute (op_array=0x8406dcc)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend_execute.c:1650
#5  0x0812af28 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend.c:864
#6  0x08108caa in php_execute_script (primary_file=0xbffffe48)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/main/main.c:1647
#7  0x081454b3 in main (argc=1, argv=0xbffffec4)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/sapi/cgi/cgi_main.c:1480

Any ideas?
 [2003-03-18 20:12 UTC] sniper@php.net
Reclassified, assuming the problem is caused by the imap functions.

What c-client version are you using??
(it's most likely that what is causing the crash, and not PHP code)

What part of IMP causes the crash?
Reading it from the imap server?
Processing the mail?

Please try and add some debug die() lines or something
to figure out what exactly causes the crash.

 [2003-03-24 04:17 UTC] sniper@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


 [2003-03-28 03:36 UTC] spamfree at orangechicken dot com
Please don't close this bug. It happens in 4.3.1 as well. Here's the minimum code that causes a crash:

$inbox = imap_open( '{' . MAIL_SERVER . '/pop3:110}INBOX', MAIL_USER, MAIL_PASS );

Here's the compile string:
'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-xml' '--enable-bcmath' '--enable-calendar' '--with-curl' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-imap' '--with-imap-ssl' '--with-kerberos' '--with-mcrypt' '--enable-magic-quotes' '--with-mysql' '--with-pear' '--enable-xslt' '--with-xslt-sablot' '--enable-sockets' '--enable-track-vars' '--with-ttf' '--with-freetype-dir=/usr' '--enable-gd-native-ttf' '--enable-versioning' '--with-zlib'

What else do I need? It seems like the code is quite minimum to cause the crash (1 line).
 [2003-03-31 02:16 UTC] sniper@php.net
Can not reproduce with given information.
Update your c-client library first.

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 14:01:29 2024 UTC