PHP :: Sec Bug #77020 :: null pointer dereference in imap

Sec Bug #77020	null pointer dereference in imap_mail
Submitted:	2018-10-16 08:36 UTC	Modified:	2018-12-10 03:07 UTC
From:	zhangweiye at topsec dot com dot cn	Assigned:	stas (profile)
Status:	Closed	Package:	IMAP related
PHP Version:	7.2.11	OS:	ubuntu
Private report:	No	CVE-ID:	2018-19935

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	zhangweiye at topsec dot com dot cn
New email:
PHP Version:		OS:

New Comment:

[2018-10-16 08:36 UTC] zhangweiye at topsec dot com dot cn

Description:
------------
in imap_mail if message args is null, in _php_imap_mail no check wheater message  can get, so crash.

```
     fprintf(sendmail, "\n%s\n", message);

```



/usr/local/php/bin/php ./craxxx.php 

Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3
sh: 1: -t: not found
Segmentation fault (core dumped)







../sapi/cli/php ./craxxx.php 

Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3
ASAN:SIGSEGV
=================================================================
==23766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7fae925d9cc0 bp 0x7ffcb6b27a10 sp 0x7ffcb6b274a0 T0)
sh: 1: -t: not found
    #0 0x7fae925d9cbf in vfprintf (/lib/x86_64-linux-gnu/libc.so.6+0x4ecbf)
    #1 0x7fae926a1bc8 in __fprintf_chk (/lib/x86_64-linux-gnu/libc.so.6+0x116bc8)
    #2 0xa5aeb0 in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:97
    #3 0xa5aeb0 in _php_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4065
    #4 0xa5b22d in zif_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4112
    #5 0x17da703 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:573
    #6 0x17da703 in execute_ex /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:59747
    #7 0x181b5c3 in zend_execute /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:63776
    #8 0x1356ef2 in zend_execute_scripts /home/fan/Desktop/php-7.2.10/Zend/zend.c:1496
    #9 0x11c0776 in php_execute_script /home/fan/Desktop/php-7.2.10/main/main.c:2590
    #10 0x1823488 in do_cli /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1011
    #11 0x18256f4 in main /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1404
    #12 0x7fae925ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x440888 in _start (/home/fan/github/php-7.2.10/sapi/cli/php+0x440888)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 vfprintf
==23766==ABORTING




Test script:
---------------
<?php
	imap_mail('1', 1, NULL);

?>

Patches

CVE-2018-19935 (last revision 2021-04-07 01:04 UTC by 2432857142 at qq dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-10-16 14:52 UTC] cmb@php.net

-Summary: a null pointer defference in imap_mail +Summary: null pointer dereference in imap_mail -Status: Open +Status: Analyzed -Package: *Mail Related +Package: IMAP related -Assigned To: +Assigned To: stas

[2018-10-16 14:52 UTC] cmb@php.net

Thanks for reporting this issue!  I can confirm the bug (it also
happens if the $message parameter is an empty string).  I suggest
to apply
<https://gist.github.com/cmb69/55b9015ca6416ee027755dc868d66137>.

Stas, can you please commit to the sec repo?

[2018-10-18 08:58 UTC] 790358237 at qq dot com

Thanks for your reply. I am very happy to do this.

[2018-11-11 18:05 UTC] stas@php.net

Fix makes sense, we can merge it in the next release cycle.

[2018-11-11 18:09 UTC] stas@php.net

Added to security repo as 8b1049a7ae96ae9b0315cfe6742e5fb010ffb5d3 (for 5.6, higher versions will be merged up).

[2018-11-21 05:42 UTC] 790358237 at qq dot com

will this get a cve?

[2018-12-03 08:43 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7edc639b9ff1c3576773d79d016abbeed1f93846
Log: Fix #77020: null pointer dereference in imap_mail

[2018-12-03 08:43 UTC] stas@php.net

-Status: Analyzed +Status: Closed

[2018-12-03 14:01 UTC] cmb@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=648fc1e369fc05fb9200a42c7938912236b2a318
Log: Fix #77020: null pointer dereference in imap_mail

[2018-12-07 08:13 UTC] 790358237 at qq dot com

this assign CVE-2018-19935.

[2018-12-07 13:31 UTC] remi@php.net

-CVE-ID: +CVE-ID: 2018-19935

[2018-12-07 15:32 UTC] remi@php.net

Notice: This issue is fixed in 5.6.39, 7.0.33 and 7.3.0
The fix is missing in 7.1.25 and 7.2.13, will be part of 7.1.26 and 7.2.14

[2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn

-: 790358237 at qq dot com +: zhangweiye at topsec dot com dot cn

[2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn

credit:zhangweiye@topsec.com.cn

[2018-12-10 03:07 UTC] zhangweiye at topsec dot com dot cn

credit topsec(zhangweiye)

[2021-04-07 01:04 UTC] 2432857142 at qq dot com

The following patch has been added/updated:

Patch Name: CVE-2018-19935
Revision:   1617757483
URL:        https://bugs.php.net/patch-display.php?bug=77020&patch=CVE-2018-19935&revision=1617757483

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jan 28 04:01:29 2025 UTC