php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20254 imap_header() crash with bad Reply-To
Submitted: 2002-11-05 01:52 UTC Modified: 2002-12-23 01:00 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: woonuk at xenoinfo dot com Assigned:
Status: No Feedback Package: IMAP related
PHP Version: 4.3.0-dev OS: Linux (2.4.18)
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2002-11-05 01:52 UTC] woonuk at xenoinfo dot com
imap_header() quietly crashes.
This sample message have bad Reply-To header.

machine A)
php : 4.2.3
c-client : imap-2001a
apache : 1.3.26

machine B)
php : 4.2.3
c-client : imap-2002.RC10
apache : 2.0.42

above two machine got same result.

--
Return-Path: <root@home.xenoinfo.com>
Delivered-To: home.xenoinfo.com-woonuk@home.xenoinfo.com
Received: (qmail 2862 invoked by uid 0); 5 Nov 2002 16:36:11 +0900
Date: 5 Nov 2002 16:36:11 +0900
Message-ID: <20021105073611.2861.qmail@home.xenoinfo.com>
From: root@home.xenoinfo.com
To: woonuk@home.xenoinfo.com
Reply-To: <>
Subject: This is Subject

This is body.

--

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-11-05 03:54 UTC] woonuk at xenoinfo dot com
Here gdb backtrace.
(gdb) run -X
Starting program: /usr/local/apache2/bin/httpd -X
[New Thread 1024 (LWP 21817)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 21817)]
0x402df6dc in chunk_free () from /lib/libc.so.6
(gdb) bt
#0  0x402df6dc in chunk_free () from /lib/libc.so.6
#1  0x402df548 in free () from /lib/libc.so.6
#2  0x404583a7 in _php_make_header_object (myzvalue=0x823b188, en=0x82444a8, tsrm_ls=0x8186838) at php_imap.c:3724
#3  0x4044d232 in zif_imap_headerinfo (ht=2, return_value=0x823b188, this_ptr=0x0, return_value_used=1, tsrm_ls=0x8186838)
    at php_imap.c:1631
#4  0x403fd5f0 in execute (op_array=0x81e1d08, tsrm_ls=0x8186838) at ./zend_execute.c:1598
#5  0x404100ed in zend_execute_scripts (type=8, tsrm_ls=0x8186838, retval=0x0, file_count=3) at zend.c:812
#6  0x404236fd in php_execute_script (primary_file=0xbffff730, tsrm_ls=0x8186838) at main.c:1383
#7  0x4041e959 in php_output_filter (f=0x81d9980, bb=0x81d9ef0) at sapi_apache2.c:409
#8  0x080ac5a7 in ap_pass_brigade (next=0x81d9980, bb=0x81d9ab0) at util_filter.c:540
#9  0x080b2868 in default_handler (r=0x81ce7b0) at core.c:3317
#10 0x080a1bd6 in ap_run_handler (r=0x81ce7b0) at config.c:194
#11 0x080a20f1 in ap_invoke_handler (r=0x81ce7b0) at config.c:401
#12 0x08084e93 in ap_process_request (r=0x81ce7b0) at http_request.c:288
#13 0x080810b8 in ap_process_http_connection (c=0x81ca3b0) at http_core.c:293
#14 0x080aa6b6 in ap_run_process_connection (c=0x81ca3b0) at connection.c:85
#15 0x080a0889 in child_main (child_num_arg=0) at prefork.c:696
#16 0x080a093c in make_child (s=0x812b950, slot=0) at prefork.c:736
#17 0x080a0a26 in startup_children (number_to_start=5) at prefork.c:808
#18 0x080a0d28 in ap_mpm_run (_pconf=0x80e8690, plog=0x8126788, s=0x812b950) at prefork.c:1024
#19 0x080a5dab in main (argc=2, argv=0xbffffa44) at main.c:643
#20 0x402821c4 in __libc_start_main () from /lib/libc.so.6
(gdb)
 [2002-11-05 07:18 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip


 [2002-11-05 09:43 UTC] woonuk at xenoinfo dot com
I tried above cvs version.
It worked but apache logs said,

[Wed Nov 06 00:44:50 2002] [notice] child pid 15305 exit signal Segmentation fault (11)
[Wed Nov 06 00:44:55 2002] [notice] child pid 15371 exit signal Segmentation fault (11)
[Wed Nov 06 00:44:58 2002] [notice] child pid 15401 exit signal Segmentation fault (11)


and the back-trace here.

(gdb) bt
#0  0x402debd3 in chunk_alloc () from /lib/libc.so.6
#1  0x402de9d0 in malloc () from /lib/libc.so.6
#2  0x4052b06f in _emalloc (size=256, __zend_filename=0x405e8740 "/usr/local/src/php4-200211030600/Zend/zend_stack.c",
    __zend_lineno=27, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/local/src/php4-200211030600/Zend/zend_alloc.c:154
#3  0x4053d0de in zend_stack_init (stack=0x40654380) at /usr/local/src/php4-200211030600/Zend/zend_stack.c:27
#4  0x4052c3d6 in zend_init_compiler_data_structures () at /usr/local/src/php4-200211030600/Zend/zend_compile.c:73
#5  0x4052c4f0 in init_compiler () at /usr/local/src/php4-200211030600/Zend/zend_compile.c:100
#6  0x4053e998 in zend_activate () at /usr/local/src/php4-200211030600/Zend/zend.c:594
#7  0x40506bba in php_request_startup () at /usr/local/src/php4-200211030600/main/main.c:833
#8  0x40556c1a in php_apache_request_ctor (f=0x81dcb68, ctx=0x81df000)
    at /usr/local/src/php4-200211030600/sapi/apache2filter/sapi_apache2.c:375
#9  0x40556e67 in php_output_filter (f=0x81dcb68, bb=0x81dce60)
    at /usr/local/src/php4-200211030600/sapi/apache2filter/sapi_apache2.c:449
#10 0x080ac5a7 in ap_pass_brigade (next=0x81dcb68, bb=0x81dcc98) at util_filter.c:540
#11 0x080b2868 in default_handler (r=0x81dd9c8) at core.c:3317
#12 0x080a1bd6 in ap_run_handler (r=0x81dd9c8) at config.c:194
#13 0x080a20f1 in ap_invoke_handler (r=0x81dd9c8) at config.c:401
#14 0x08084e93 in ap_process_request (r=0x81dd9c8) at http_request.c:288
#15 0x080810b8 in ap_process_http_connection (c=0x81d3578) at http_core.c:293
#16 0x080aa6b6 in ap_run_process_connection (c=0x81d3578) at connection.c:85
#17 0x080a0889 in child_main (child_num_arg=0) at prefork.c:696
#18 0x080a093c in make_child (s=0x812b950, slot=0) at prefork.c:736
#19 0x080a0a26 in startup_children (number_to_start=5) at prefork.c:808
#20 0x080a0d28 in ap_mpm_run (_pconf=0x80e8690, plog=0x8126788, s=0x812b950) at prefork.c:1024
#21 0x080a5dab in main (argc=2, argv=0xbffffa44) at main.c:643
#22 0x402821c4 in __libc_start_main () from /lib/libc.so.6
 [2002-11-05 14:29 UTC] iliaa@php.net
The last error implies crash somewhere in the Apache 2 code. Does this crash happen on any particular script, if so, could you please provide the smallest possible version of such a script that can be used to replicate the problem.
 [2002-11-05 23:34 UTC] woonuk at xenoinfo dot com
I deleted many html tags and php code.
Ctrl+F5(reload) gives good result or crash.

$ cat test.php
<?php
    $mailbox = imap_open("{localhost:143}"."INBOX.test", "woonuk@home.xenoinfo.com", "******");
    $object = imap_fetchstructure($mailbox, 1);

    $header = imap_header($mailbox, 1);

    $from = $header->from[0]->personal;
    if(!$from) $from = $header->$from[0]->mailbox;

    $subject = htmlspecialchars(chop($header->Subject));
    if(!$subject) $subject = "Null !!";

    $to = $header->to[0]->personal;
    if(!$to) $to = $header->to[0]->mailbox;

    echo("Subject: $subject<br>");
    echo("Date : " . $header->Date . "<br>");
    echo("From : $from<br>");
    echo("To : $to<br>");

    imap_close($mailbox);
?>
 [2002-11-06 08:42 UTC] kalowsky@php.net
Your second bt shows that it's not an IMAP specific problem, which is interesting that it manifests itself in IMAP only.

Can you reproduce this with non Apache2 as well (using the latest CVS of course)?  I know you probably hate me for asking this.
 [2002-11-07 18:53 UTC] sniper@php.net
Try this with the CLI (command line) php. Maybe another thread-safety issue..? How did you configure apache2?

 [2002-11-08 00:08 UTC] woonuk at xenoinfo dot com
CLI (command line) php test was all right.

apache2 configured with --prefix=/usr/local/apache2 --enable-so
 [2002-11-08 06:48 UTC] sniper@php.net
So it works? Only crashes with Apache2 ?

 [2002-11-12 23:34 UTC] woonuk at xenoinfo dot com
apache2 crashes more frequently(?) than apach1.

if i try 10-20 times, one time crashes with apache2.
on apache1, try 20-30 times, one time crash.
 [2002-11-13 12:41 UTC] sniper@php.net
Can you provide a backtrace using the latest CVS snapshot
and compiled with Apache 1.3 ?

 [2002-11-14 22:39 UTC] woonuk at xenoinfo dot com
I'm in another situation.

I configured php with uw-imap c-client, but
courier-imap server is running.

Stopping courier-imap server and, Test with uw-iamp server, there was no crash.

Test with courier-imap server again, here backtrace report.

(gdb) bt
#0  0x403b480e in _zval_ptr_dtor (zval_ptr=0x0, 
    __zend_filename=0x4046de00 "/usr/local/src/php4-200211030600/Zend/zend_variables.c", __zend_lineno=167)
    at /usr/local/src/php4-200211030600/Zend/zend_execute_API.c:291
#1  0x403be4d2 in _zval_ptr_dtor_wrapper (zval_ptr=0x0) at /usr/local/src/php4-200211030600/Zend/zend_variables.c:167
#2  0x403c5a01 in zend_hash_destroy (ht=0x812eacc) at /usr/local/src/php4-200211030600/Zend/zend_hash.c:543
#3  0x403be19a in _zval_dtor (zvalue=0x812ea8c, 
    __zend_filename=0x4046d6a0 "/usr/local/src/php4-200211030600/Zend/zend_execute_API.c", __zend_lineno=293)
    at /usr/local/src/php4-200211030600/Zend/zend_variables.c:60
#4  0x403b4839 in _zval_ptr_dtor (zval_ptr=0x811c820, 
    __zend_filename=0x4046de00 "/usr/local/src/php4-200211030600/Zend/zend_variables.c", __zend_lineno=167)
    at /usr/local/src/php4-200211030600/Zend/zend_execute_API.c:293
#5  0x403be4d2 in _zval_ptr_dtor_wrapper (zval_ptr=0x811c820) at /usr/local/src/php4-200211030600/Zend/zend_variables.c:167
#6  0x403c5a01 in zend_hash_destroy (ht=0x404da80c) at /usr/local/src/php4-200211030600/Zend/zend_hash.c:543
#7  0x403b433e in shutdown_executor () at /usr/local/src/php4-200211030600/Zend/zend_execute_API.c:186
#8  0x403bf70f in zend_deactivate () at /usr/local/src/php4-200211030600/Zend/zend.c:625
#9  0x40387bd3 in php_request_shutdown (dummy=0x0) at /usr/local/src/php4-200211030600/main/main.c:913
#10 0x403d6dfa in apache_php_module_main (r=0x8114ad4, display_source_mode=0)
    at /usr/local/src/php4-200211030600/sapi/apache/sapi_apache.c:61
#11 0x403d7c48 in send_php (r=0x8114ad4, display_source_mode=0, filename=0x8116614 "/home/www/test.php")
    at /usr/local/src/php4-200211030600/sapi/apache/mod_php4.c:556
#12 0x403d7cb5 in send_parsed_php (r=0x8114ad4) at /usr/local/src/php4-200211030600/sapi/apache/mod_php4.c:571
#13 0x08054823 in ap_invoke_handler ()
#14 0x08069ca7 in process_request_internal ()
#15 0x08069d08 in ap_process_request ()
#16 0x08060a79 in child_main ()
#17 0x08060c48 in make_child ()
#18 0x08060dbc in startup_children ()
#19 0x08061434 in standalone_main ()
#20 0x08061cb3 in main ()
#21 0x400ad1c4 in __libc_start_main () from /lib/libc.so.6
(gdb)
 [2002-12-02 13:51 UTC] K dot Kaczkowski at eisp dot pl
hello.
similar problem, imap_header() crash, but with other condition - long To: header
php 4.2.3 as CLI,libc-client: 4.7-c2

bug can be reproduced with message containing following header:
To: Someone <email@somehost.com>,
Someone2 <email2@somehost.com>,
...
Someone144 <email144@somehost>

I didn't test actual threshold, it could be smaller then 144.

test script:
$imap=imap_open("{localhost:143}INBOX","user","pass");
if (!$imap)
  echo "connect failed\n";
$header=imap_header($imap,1);

backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x3d0f86 in malloc () from /lib/libc.so.6
(gdb) bt
#0  0x3d0f86 in malloc () from /lib/libc.so.6
#1  0x3d0ca4 in malloc () from /lib/libc.so.6
#2  0x80c723c in _emalloc (size=12) at zend_alloc.c:165
#3  0x53e39e in _php_imap_parse_address (addresslist=0x817bfe0,
    fulladdress=0xbd870ec8, paddress=0x818476c) at php_imap.c:3632
#4  0x53e62e in _php_make_header_object (myzvalue=0x8178c3c, en=0x817ce58)
    at php_imap.c:3666
#5  0x536dbd in zif_imap_headerinfo (ht=2, return_value=0x8178c3c,
    this_ptr=0x0, return_value_used=1) at php_imap.c:1631
#6  0x497d99 in zend_assign_to_variable_reference ()
   from /usr/local/Zend/lib/ZendOptimizer.so
#7  0x4a1144 in zend_oe () from /usr/local/Zend/lib/ZendOptimizer.so
#8  0x80d3fb8 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:812
#9  0x805f81d in php_execute_script (primary_file=0xbd873388) at main.c:1383
#10 0x805d6e3 in main (argc=2, argv=0xbd873404) at cgi_main.c:778
#11 0x37c0bf in __libc_start_main () from /lib/libc.so.6
 [2002-12-07 16:06 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip


 [2002-12-23 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Aug 07 12:01:24 2020 UTC