php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19280 imap_header() fails with many To: addresses
Submitted: 2002-09-07 10:25 UTC Modified: 2002-10-08 15:16 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (33.3%)
From: mose at ns dot cune dot edu Assigned:
Status: Closed Package: IMAP related
PHP Version: 4CVS-2002-09-07 OS: RedHat 7.3, 2.4.19
Private report: No CVE-ID:
 [2002-09-07 10:25 UTC] mose at ns dot cune dot edu
imap-2002.RC5 (also does not work with imap-2002.RC2)
Apache 2.0.40
openldap 2.1.4
mysql 3.23.49
configure --with-apxs2=/local/apache/bin/apxs --enable-force-cgi-redirect --disable-cli --with-imap=/home/xxx/imap-2002.RC5 --with-ldap --with-mysql=/local/mysql

The call to imap_header() fails on messages with many To: addresses.  One message I received has 128 addresses in the To: field (of the form "Firstname Lastname" <Firstname.Lastname@example.com>).  Other messages with fewer addresses do not cause a problem.

There is a bug in the database that was supposed to have been fixed in CVS in June.  Either that change has not made it into the current CVS, or this is a different bug.  I'd be happy to mail someone a typical message that produces the problem.  However, you should easily be able to craft such a message yourself in a text file by simply repeating the address in the To: field.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-07 13:08 UTC] mose at ns dot cune dot edu
No, I have not tried this with earlier versions of Apache or c-client.

This seems to be the sequence of events.

imap_header() called in php with the message number
_php_make_header_object() called with envelope information
_php_imap_parse_address(en->to...) called to parse To:

It then makes various trips through the do while loop.  The message I have with 128 addresses always makes 18 trips through the loop and then consistently blows up the 19th time at the line with "if (addresstmp->host)".

It's possible that this isn't the real location of the problem.  Rather it might be a memory allocation problem when the envelope information is created, since there is such a large number of To: addresses.  19 addresses could be close 1024 bytes.
 [2002-09-07 13:56 UTC] mose at ns dot cune dot edu
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 17426 (LWP 25688)]
0x4207a3b4 in chunk_alloc () from /lib/i686/libc.so.6
(gdb) bt
#0  0x4207a3b4 in chunk_alloc () from /lib/i686/libc.so.6
#1  0x4207a148 in malloc () from /lib/i686/libc.so.6
#2  0x403450f4 in _emalloc (size=40)
    at /home/mose/php4-200209070600/Zend/zend_alloc.c:154
#3  0x40356bf6 in _object_and_properties_init (arg=0x4423b834,
    class_type=0x40463900, properties=0x0, tsrm_ls=0x44391698)
    at /home/mose/php4-200209070600/Zend/zend_API.c:585
#4  0x40356c61 in _object_init_ex (arg=0x4423b834, class_type=0x40463900,
    tsrm_ls=0x44391698) at /home/mose/php4-200209070600/Zend/zend_API.c:597
#5  0x40356c8b in _object_init (arg=0x4423b834, tsrm_ls=0x44391698)
    at /home/mose/php4-200209070600/Zend/zend_API.c:603
#6  0x40280659 in _php_imap_parse_address (addresslist=0x44349c20,
    fulladdress=0x42b2c314, paddress=0x4423b7b4, tsrm_ls=0x44391698)
    at /home/mose/php4-200209070600/ext/imap/php_imap.c:3555
#7  0x402808df in _php_make_header_object (myzvalue=0x44457f04, en=0x443aea78,
    tsrm_ls=0x44391698)
    at /home/mose/php4-200209070600/ext/imap/php_imap.c:3587
#8  0x40279348 in zif_imap_headerinfo (ht=5, return_value=0x44457f04,
    this_ptr=0x0, return_value_used=1, tsrm_ls=0x44391698)
    at /home/mose/php4-200209070600/ext/imap/php_imap.c:1479
#9  0x403691b3 in execute (op_array=0x4425b308, tsrm_ls=0x44391698)
    at /home/mose/php4-200209070600/Zend/zend_execute.c:1602
#10 0x403693ae in execute (op_array=0x44345d24, tsrm_ls=0x44391698)
    at /home/mose/php4-200209070600/Zend/zend_execute.c:1646
#11 0x4036e8e5 in execute (op_array=0x44469ba4, tsrm_ls=0x44391698)
    at /home/mose/php4-200209070600/Zend/zend_execute.c:2168
#12 0x4036e8e5 in execute (op_array=0x4423ef8c, tsrm_ls=0x44391698)
    at /home/mose/php4-200209070600/Zend/zend_execute.c:2168
#13 0x403558ea in zend_execute_scripts (type=8, tsrm_ls=0x44391698,
    retval=0x0, file_count=3) at /home/mose/php4-200209070600/Zend/zend.c:814
#14 0x4032c3f2 in php_execute_script (primary_file=0x42b3489c,
    tsrm_ls=0x44391698) at /home/mose/php4-200209070600/main/main.c:1510
#15 0x40371a15 in php_output_filter (f=0x444022f0, bb=0x44402f68)
    at /home/mose/php4-200209070600/sapi/apache2filter/sapi_apache2.c:409
#16 0x0806eeb7 in ap_pass_brigade (next=0x444022f0, bb=0x44402428)
    at util_filter.c:540
#17 0x08075280 in default_handler (r=0x443b7fe8) at core.c:3293
#18 0x08065b1e in ap_run_handler (r=0x443b7fe8) at config.c:193
#19 0x08066039 in ap_invoke_handler (r=0x443b7fe8) at config.c:400
#20 0x08061d63 in ap_process_request (r=0x443b7fe8) at http_request.c:257
#21 0x0805dff8 in ap_process_http_connection (c=0x442c4e70) at http_core.c:293
#22 0x0806d3ea in ap_run_process_connection (c=0x442c4e70) at connection.c:85
#23 0x08062e5a in process_socket (p=0x442c4d60, sock=0x442c4d98,
    my_child_num=0, my_thread_num=15, bucket_alloc=0x818c3a0) at worker.c:632
#24 0x08063439 in worker_thread (thd=0x8100b20, dummy=0x8169790)
    at worker.c:947
#25 0x400f7330 in dummy_worker (opaque=0x8100b20) at thread.c:127
#26 0x4016dfef in pthread_start_thread () from /lib/i686/libpthread.so.0
#27 0x4016e0df in pthread_start_thread_event () from /lib/i686/libpthread.so.0


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 19476 (LWP 25869)]
0x4207a3b4 in chunk_alloc () from /lib/i686/libc.so.6
(gdb) bt
#0  0x4207a3b4 in chunk_alloc () from /lib/i686/libc.so.6
#1  0x4207a148 in malloc () from /lib/i686/libc.so.6
#2  0x403450f4 in _emalloc (size=40)
    at /home/mose/php4-200209070600/Zend/zend_alloc.c:154
#3  0x40356bf6 in _object_and_properties_init (arg=0x88c1e94,
    class_type=0x40463900, properties=0x0, tsrm_ls=0x87aa430)
    at /home/mose/php4-200209070600/Zend/zend_API.c:585
#4  0x40356c61 in _object_init_ex (arg=0x88c1e94, class_type=0x40463900,
    tsrm_ls=0x87aa430) at /home/mose/php4-200209070600/Zend/zend_API.c:597
#5  0x40356c8b in _object_init (arg=0x88c1e94, tsrm_ls=0x87aa430)
    at /home/mose/php4-200209070600/Zend/zend_API.c:603
#6  0x40280659 in _php_imap_parse_address (addresslist=0x8539a20,
    fulladdress=0x42f2c314, paddress=0x88c1e14, tsrm_ls=0x87aa430)
    at /home/mose/php4-200209070600/ext/imap/php_imap.c:3555
#7  0x402808df in _php_make_header_object (myzvalue=0x8624d7c, en=0x89308a0,
    tsrm_ls=0x87aa430) at /home/mose/php4-200209070600/ext/imap/php_imap.c:3587
#8  0x40279348 in zif_imap_headerinfo (ht=5, return_value=0x8624d7c,
    this_ptr=0x0, return_value_used=1, tsrm_ls=0x87aa430)
    at /home/mose/php4-200209070600/ext/imap/php_imap.c:1479
#9  0x403691b3 in execute (op_array=0x879e010, tsrm_ls=0x87aa430)
    at /home/mose/php4-200209070600/Zend/zend_execute.c:1602
#10 0x403693ae in execute (op_array=0x8858c74, tsrm_ls=0x87aa430)
    at /home/mose/php4-200209070600/Zend/zend_execute.c:1646
#11 0x4036e8e5 in execute (op_array=0x84d714c, tsrm_ls=0x87aa430)
    at /home/mose/php4-200209070600/Zend/zend_execute.c:2168
#12 0x4036e8e5 in execute (op_array=0x84cdda4, tsrm_ls=0x87aa430)
    at /home/mose/php4-200209070600/Zend/zend_execute.c:2168
#13 0x403558ea in zend_execute_scripts (type=8, tsrm_ls=0x87aa430, retval=0x0,
    file_count=3) at /home/mose/php4-200209070600/Zend/zend.c:814
#14 0x4032c3f2 in php_execute_script (primary_file=0x42f3489c,
    tsrm_ls=0x87aa430) at /home/mose/php4-200209070600/main/main.c:1510
#15 0x40371a15 in php_output_filter (f=0x85a9ab8, bb=0x85aa730)
    at /home/mose/php4-200209070600/sapi/apache2filter/sapi_apache2.c:409
#16 0x0806eeb7 in ap_pass_brigade (next=0x85a9ab8, bb=0x85a9bf0)
    at util_filter.c:540
#17 0x08075280 in default_handler (r=0x84059c0) at core.c:3293
#18 0x08065b1e in ap_run_handler (r=0x84059c0) at config.c:193
#19 0x08066039 in ap_invoke_handler (r=0x84059c0) at config.c:400
#20 0x08061d63 in ap_process_request (r=0x84059c0) at http_request.c:257
#21 0x0805dff8 in ap_process_http_connection (c=0x81b8aa0) at http_core.c:293
#22 0x0806d3ea in ap_run_process_connection (c=0x81b8aa0) at connection.c:85
#23 0x08062e5a in process_socket (p=0x81b8990, sock=0x81b89c8, my_child_num=0,
    my_thread_num=17, bucket_alloc=0x81944a0) at worker.c:632
#24 0x08063439 in worker_thread (thd=0x8100b60, dummy=0x8169790)
    at worker.c:947
#25 0x400f7330 in dummy_worker (opaque=0x8100b60) at thread.c:127
#26 0x4016dfef in pthread_start_thread () from /lib/i686/libpthread.so.0
#27 0x4016e0df in pthread_start_thread_event () from /lib/i686/libpthread.so.0
 [2002-09-08 15:21 UTC] mose at ns dot cune dot edu
Below an example of a message that causes imap_header() (or imap_headerinfo()) to fail.  It consists of 139 lines, 7226 total characters.  The To: address contains 129 addresses.  Each address after the first To: address is preceded by a tab (and not spaces).  If you can drop this message into a directory and try to read it, it may produce some helpful information.

I've been playing around with message, and it seems that it has to be pretty close to the message below.  Adding or removing lines, adding or removing characters changes it enough so that it works.  I have not found the pattern of what causes it to fail, yet.

Return-Path: <Firstname.Lastname@abcd.com>
Received: from localhost (localhost.localdomain [127.0.0.1])
        by mail.abcd.com (Postfix) with ESMTP
        id 7BBFF7B9D; Fri,  6 Sep 2002 15:47:26 -0500 (CDT)
Message-ID: <Firstname.Lastname@abcd.com>
From: "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>
To: "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>,
        "Firstname (E-Mail)" <Firstname.Lastname@abcd.com>
Subject: Whatever
Date: Fri, 6 Sep 2002 15:46:59 -0500

This is one line of the mail body.
 [2002-09-08 19:57 UTC] mose at ns dot cune dot edu
The problem is not resolved with imap-2001a.  Earlier versions of imap do not compile because of a mismatch involving date functions.  The only error reported in error_log is "Segmentation fault".
 [2002-09-26 14:01 UTC] mose at ns dot cune dot edu
If I edit ext/imap/php_imap.c in the function _php_imap_parse_address() and comment the call to rfc822_write_address(tmpstr, addresstmp) on line 3583, then php does not crash.  If I modify line 3581 to allocate more space so that it becomes

tmpstr = (char *) malloc (len + 2048);

not only does php not crash, the call to imap_headerinfo() works.

The kludge in _php_imap_get_address_size() that simply adds MAILTMPLEN (defined as 1024 in c-client/mail.h) characters to the length of all of the text is not enough when there is a large number of addresses.  Additional length should be calculated as the product of the total number of addresses and the maximum number of additional characters per address that could be expected to be added during a call to rfc822_write_address().
 [2002-10-08 15:16 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 19:01:53 2014 UTC