PHP :: Bug #22638 :: Using Horde/IMP to read an email causes a crash

Bug #22638

Using Horde/IMP to read an email causes a crash

Submitted:

2003-03-11 13:49 UTC

Modified:

2003-03-31 02:16 UTC

Votes:	3
Avg. Score:	4.7 ± 0.5
Reproduced:	3 of 3 (100.0%)
Same Version:	2 (66.7%)
Same OS:	3 (100.0%)

From:

dsilvers at pepperfish dot net

Assigned:

Status:

Not a bug

Package:

IMAP related

PHP Version:

4.3.2RC

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2003-03-11 13:49 UTC] dsilvers at pepperfish dot net

When attempting to view an email from British Airways, Horde/IMP would cause a reliably reproducable segmentation fault in the zend hash implementation.

I have worked the minimum-tripping example to:

---CUT
From user@otherdomain.com Mon Mar 10 17:23:48 2003
From: <user@otherdomain.com>
To: <user@domain.example>
CC: <>
Reply-To: <user@domain.com>
Subject: Crashy email

This email crashes IMP
---CUT

The guys at horde.org say it's a PHP problem and that I should ask you guys to solve it.

If you could, I'd be very very grateful -- I have several customers whose email is very affected by this bug.

It appears that the bug is provoked by the adding of the odd CC header into the hash table of headers maintained by the IMAP code.

Here is a GDB backtrace of it happening in 4.3.1 release:

Program received signal SIGSEGV, Segmentation fault.
0x402d2998 in malloc () from /lib/libc.so.6
(gdb) bt
#0  0x402d2998 in malloc () from /lib/libc.so.6
#1  0x402d2074 in malloc () from /lib/libc.so.6
#2  0x0811d53c in _emalloc (size=53)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_alloc.c:154
#3  0x0812d126 in zend_hash_add_or_update (ht=0x833a004, 
    arKey=0x8159ee6 "mon_thousands_sep", nKeyLength=18, pData=0xbfff2118, 
    nDataSize=4, pDest=0x0, flag=1)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_hash.c:262
#4  0x0812b61c in add_assoc_string_ex (arg=0x828d864, 
    key=0x8159ee6 "mon_thousands_sep", key_len=18, str=0x404a30c9 ",", 
    duplicate=1) at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_API.c:673
#5  0x080d953d in zif_localeconv (ht=0, return_value=0x828d864, this_ptr=0x0, 
    return_value_used=1)
    at /home/dsilvers/new-webmail/php-4.3.1/ext/standard/string.c:3766
#6  0x0813982a in execute (op_array=0x836253c)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1598
#7  0x08139984 in execute (op_array=0x83639a4)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1640
#8  0x08139984 in execute (op_array=0x8362a2c)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1640
#9  0x08139984 in execute (op_array=0x824dcbc)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend_execute.c:1640
#10 0x0812a598 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/dsilvers/new-webmail/php-4.3.1/Zend/zend.c:864
#11 0x081087ef in php_execute_script (primary_file=0xbffffe48)
    at /home/dsilvers/new-webmail/php-4.3.1/main/main.c:1573
#12 0x08144a43 in main (argc=1, argv=0xbffffec4)
    at /home/dsilvers/new-webmail/php-4.3.1/sapi/cgi/cgi_main.c:1424
(gdb) quit

Here's my configure line:

./configure  --enable-fastcgi --with-pgsql --disable-ipv6 --with-imap --with-gettext --with-xml --with-mcrypt --prefix=/usr/local/webmail/php --with-imap-ssl  --with-zlib --disable-safe-mode

Here's info about the system:

Linux salmon 2.4.18 #1 Thu Mar 14 19:06:39 GMT 2002 i686 unknown
 
It's a duron 600 based system with plenty of free ram and swap.

It is running Debian GNU/Linux 3.0r1 (Woody) with security patches

PHP is compiled up from source.

If there's any other information you need, just yell.

D.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-03-11 20:44 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip


And what part of IMP causes the crash?
Reading it from the imap server?
Processing the mail?

[2003-03-18 13:35 UTC] dsilvers at pepperfish dot net

Right. With the snapshot:

php4-STABLE-200303181830

I get exactly the same outward behaviour (I.E. PHP dies when I read a message with a 'CC: <>' header in it.

This is the gdb:

Program received signal SIGSEGV, Segmentation fault.
0x402d29d1 in malloc () from /lib/libc.so.6
(gdb) bt
#0  0x402d29d1 in malloc () from /lib/libc.so.6
#1  0x402d2074 in malloc () from /lib/libc.so.6
#2  0x0811debc in _emalloc (size=12)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend_alloc.c:158
#3  0x0813a1dd in execute (op_array=0x8334174)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend_execute.c:1601
#4  0x0813a3b4 in execute (op_array=0x8406dcc)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend_execute.c:1650
#5  0x0812af28 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/Zend/zend.c:864
#6  0x08108caa in php_execute_script (primary_file=0xbffffe48)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/main/main.c:1647
#7  0x081454b3 in main (argc=1, argv=0xbffffec4)
    at /home/dsilvers/new-webmail/php4-STABLE-200303181830/sapi/cgi/cgi_main.c:1480

Any ideas?

[2003-03-18 20:12 UTC] sniper@php.net

Reclassified, assuming the problem is caused by the imap functions.

What c-client version are you using??
(it's most likely that what is causing the crash, and not PHP code)

What part of IMP causes the crash?
Reading it from the imap server?
Processing the mail?

Please try and add some debug die() lines or something
to figure out what exactly causes the crash.

[2003-03-24 04:17 UTC] sniper@php.net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

[2003-03-28 03:36 UTC] spamfree at orangechicken dot com

Please don't close this bug. It happens in 4.3.1 as well. Here's the minimum code that causes a crash:

$inbox = imap_open( '{' . MAIL_SERVER . '/pop3:110}INBOX', MAIL_USER, MAIL_PASS );

Here's the compile string:
'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-xml' '--enable-bcmath' '--enable-calendar' '--with-curl' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-imap' '--with-imap-ssl' '--with-kerberos' '--with-mcrypt' '--enable-magic-quotes' '--with-mysql' '--with-pear' '--enable-xslt' '--with-xslt-sablot' '--enable-sockets' '--enable-track-vars' '--with-ttf' '--with-freetype-dir=/usr' '--enable-gd-native-ttf' '--enable-versioning' '--with-zlib'

What else do I need? It seems like the code is quite minimum to cause the crash (1 line).

[2003-03-31 02:16 UTC] sniper@php.net

Can not reproduce with given information.
Update your c-client library first.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 08:01:32 2024 UTC