php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72852 imap_mail null dereference
Submitted: 2016-08-16 09:08 UTC Modified: 2016-08-19 13:50 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: IMAP related
PHP Version: irrelevant OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-08-16 09:08 UTC] fernando at null-life dot com 
Description:
------------
This seems to be a Windows only issue, tested with the 7.0.10RC1 QA build [1]. I don't have symbols for rfc822_parse_adrlist [2] so I'm unable to debug further. Seems to be a null dereference based on the stack trace.

[1] http://windows.php.net/qa/
[2] https://github.com/php/php-src/blob/master/ext/imap/php_imap.c#L3965



Test script:
---------------
<?php


$to="<a href=\"";
$subject="A";
$message="A";

imap_mail($to,$subject,$message);

Expected result:
----------------
No crash

Actual result:
--------------
Faulting Instruction:6d6cb891 cmp byte ptr [eax],40h

Basic Block:
    6d6cb891 cmp byte ptr [eax],40h
       Tainted Input operands: 'eax'
    6d6cb894 cmovne ecx,eax
    6d6cb897 lea eax,[esp+1ch]
    6d6cb89b push ecx
    6d6cb89c push dword ptr [esi+8]
    6d6cb89f push offset php_imap!body_encodings+0x130 (6d76eda8)
    6d6cb8a4 push eax
    6d6cb8a5 call php_imap!sprintf (6d6ce3b0)

Exception Hash (Major/Minor): 0x212bb295.0x3256a426

 Hash Usage : Stack Trace:
Major+Minor : php_imap!rfc822_parse_routeaddr+0x201
Major+Minor : php_imap!rfc822_parse_mailbox+0x4b
Major+Minor : php_imap!rfc822_parse_address+0x51
Major+Minor : php_imap!rfc822_parse_adrlist+0xa8
Major+Minor : php_imap!_php_imap_mail+0x113
Minor       : php_imap!zif_imap_mail+0x133
Minor       : php7!ZEND_DO_ICALL_SPEC_HANDLER+0x51
Minor       : php7!execute_ex+0x21
Minor       : php7!zend_execute+0x325
Minor       : php7!zend_execute_scripts+0xab
Minor       : php7!php_execute_script+0x2aa
Minor       : php!do_cli+0x7e3
Minor       : php!main+0x44e
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_774c0000!__RtlUserThreadStart+0x2f
Minor       : ntdll_774c0000!_RtlUserThreadStart+0x1b
Instruction Address: 0x000000006d6cb891

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-16 17:55 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-19 13:50 UTC] ab@php.net
-Status: Open +Status: Verified -PHP Version: 7.0.9 +PHP Version: irrelevant
 [2016-08-19 23:39 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=21f08a7488b54e9894b762b690b6674858881252
Log: Fixed bug #72852 imap_mail null dereference
 [2016-08-19 23:39 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2016-10-17 10:09 UTC] bwoebi@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=21f08a7488b54e9894b762b690b6674858881252
Log: Fixed bug #72852 imap_mail null dereference
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC