PHP :: Sec Bug #77821 :: Potential heap corruption in TSendMail()

Sec Bug #77821	Potential heap corruption in TSendMail()
Submitted:	2019-03-29 10:09 UTC	Modified:	2019-04-30 05:08 UTC
From:	cmb@php.net	Assigned:	ab (profile)
Status:	Closed	Package:	*Mail Related
PHP Version:	7.1	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cmb@php.net
New email:
PHP Version:		OS:

New Comment:

[2019-03-29 10:09 UTC] cmb@php.net

Description:
------------
Running ext/standard/tests/mail/mail_basic_alt2-win32.phpt
sometimes yields Critical error detected c0000374, which indicates
a heap corruption.

Test script:
---------------
ext/standard/tests/mail/mail_basic_alt2-win32.phpt

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-03-29 10:19 UTC] cmb@php.net

-Assigned To: +Assigned To: ab

[2019-03-29 10:19 UTC] cmb@php.net

Suggested fix for PHP 7.2:
<https://gist.github.com/cmb69/05d64c433700c59384fd759b629e7762>.

For PHP 7.3 and up the situation is slightly different, since code
has been added to release one of the strings right away if
`zend_string_tolower()` returns a copy[1].  It seems to me that
this code should be removed (since it relies on internals of the
API), and the 7.2 fix be applied.

[1] <https://github.com/php/php-src/blob/php-7.3.4RC1/win32/sendmail.c#L211-L213>

[2019-03-31 06:52 UTC] stas@php.net

Is this but not present in 7.1?

[2019-03-31 10:46 UTC] ab@php.net

What is the backtrace?

Thanks.

[2019-03-31 10:55 UTC] cmb@php.net

-PHP Version: 7.2Git-2019-03-29 (Git) +PHP Version: 7.1

[2019-03-31 10:55 UTC] cmb@php.net

Thanks, Stas!  Indeed, PHP-7.1 is affected as well, and the
suggested patch[1] has to be applied there, too.

Backtrace is:

ntdll.dll!00007ffb6e35aed2() (Unknown Source:0)
ntdll.dll!00007ffb6e36379e() (Unknown Source:0)
ntdll.dll!00007ffb6e363aaa() (Unknown Source:0)
ntdll.dll!00007ffb6e2febc1() (Unknown Source:0)
ntdll.dll!00007ffb6e30cd22() (Unknown Source:0)
ucrtbase.dll!00007ffb6a6ec7eb() (Unknown Source:0)
[Inline Frame] php7.dll!zend_string_free(_zend_string *) Line 264 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_string.h:264)
php7.dll!TSendMail(char * host, int * error, char * * error_message, char * headers, char * Subject, char * mailTo, char * data, char * mailCc, char * mailBcc, char * mailRPath) Line 312 (d:\php-sdk\phpdev\vc14\x64\php-src\win32\sendmail.c:312)
php7.dll!php_mail(char * to, char * subject, char * message, char * headers, char * extra_cmd) Line 342 (d:\php-sdk\phpdev\vc14\x64\php-src\ext\standard\mail.c:342)
php7.dll!zif_mail(_zend_execute_data * execute_data, _zval_struct * return_value) Line 174 (d:\php-sdk\phpdev\vc14\x64\php-src\ext\standard\mail.c:174)
php7.dll!ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER(_zend_execute_data * execute_data) Line 685 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:685)
php7.dll!execute_ex(_zend_execute_data * ex) Line 432 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:432)
php7.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 475 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:475)
php7.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1483 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend.c:1483)
php7.dll!php_execute_script(_zend_file_handle * primary_file) Line 2577 (d:\php-sdk\phpdev\vc14\x64\php-src\main\main.c:2577)
php.exe!do_cli(int argc, char * * argv) Line 994 (d:\php-sdk\phpdev\vc14\x64\php-src\sapi\cli\php_cli.c:994)
php.exe!main(int argc, char * * argv) Line 1381 (d:\php-sdk\phpdev\vc14\x64\php-src\sapi\cli\php_cli.c:1381)
[Inline Frame] php.exe!invoke_main() Line 64 (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:64)
php.exe!__scrt_common_main_seh() Line 253 (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253)
kernel32.dll!00007ffb6e1881f4() (Unknown Source:0)

[1] <https://gist.github.com/cmb69/05d64c433700c59384fd759b629e7762>

[2019-03-31 12:05 UTC] ab@php.net

Thanks for the BT. The patch looks correct. I've no environment to test it right now, as it fixes for Christoph should be fine to include. Christoph, please add a test, if possible.

Thanks.

[2019-03-31 12:10 UTC] cmb@php.net

> Christoph, please add a test, if possible.

There is already mail_basic_alt2-win32.phpt wich is failing (at least sometimes) because of the bug.

[2019-04-30 05:10 UTC] stas@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6c631ccfef94f93259d474682f8bfa803e163c87
Log: Fix #77821: Potential heap corruption in TSendMail()

[2019-04-30 05:10 UTC] stas@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC