|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #23090 imap crashes with large To: list
Submitted: 2003-04-07 09:20 UTC Modified: 2003-04-29 10:20 UTC
Avg. Score:4.1 ± 1.3
Reproduced:13 of 14 (92.9%)
Same Version:10 (76.9%)
Same OS:12 (92.3%)
From: travis at deakin dot edu dot au Assigned:
Status: No Feedback Package: IMAP related
PHP Version: 4.3.2-RC OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2003-04-07 09:20 UTC] travis at deakin dot edu dot au
When using imap to read a mailbox that contains the following To: line in the email (just an example of one with a large To: line) it crashes.  I know it is very long but unfortunately a numberof spam messages have this style of To line and breaks our php web based email client.

The version of imap c-client was from imap-2002b.

An example To: line which causes the crash:



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-07 10:44 UTC] gale at gtk dot org
Here's a backtrace. Looks like something is scribbling over memory. Have reproduced this on 4.3.1 and 4.2.3. However,
4.2.1 doesn't have this issue.

#0  0x352b50 in chunk_alloc (ar_ptr=0x401680, nb=56) at malloc.c:2948
#1  0x3521ce in __libc_malloc (bytes=52) at malloc.c:2696
#2  0x813e309 in _emalloc (size=35) at zend_alloc.c:165
#3  0x8153a87 in zend_hash_index_update_or_next_insert (ht=0x84cb1cc, h=6, pData=0xbfff72f8, nDataSize=4, pDest=0x0, flag=4) at zend_hash.c:404
#4  0x80c92fc in _php_imap_parse_address (addresslist=0x84bf7e8, fulladdress=0xbfff7328, paddress=0x84cb1ac) at php_imap.c:268
#5  0x80c94a8 in _php_make_header_object (myzvalue=0x84cac24, en=0x84bf388) at php_imap.c:3666
#6  0x80c1c6a in zif_imap_headerinfo (ht=2, return_value=0x84cac24, this_ptr=0x0, return_value_used=1) at php_imap.c:1631
#7  0x816d871 in execute (op_array=0x8478114) at ./zend_execute.c:1598
#8  0x816da36 in execute (op_array=0x842fee4) at ./zend_execute.c:1638
#9  0x816da36 in execute (op_array=0x83d3134) at ./zend_execute.c:1638
#10 0x816da36 in execute (op_array=0x8392704) at ./zend_execute.c:1638
#11 0x814f3b6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:812
#12 0x80b5cba in php_execute_script (primary_file=0xbffff814) at main.c:1383
#13 0x815a037 in apache_php_module_main (r=0x834fcac, display_source_mode=0) at sapi_apache.c:90
#14 0x80b2316 in send_php ()
#15 0x80b23a4 in send_parsed_php ()
#16 0x81798a3 in ap_invoke_handler ()
#17 0x81936d9 in process_request_internal ()
#18 0x8193781 in ap_process_request ()
#19 0x81892ee in child_main ()
#20 0x818957f in make_child ()
#21 0x8189673 in startup_children ()
#22 0x8189d96 in standalone_main ()
 [2003-04-08 00:59 UTC] travis at deakin dot edu dot au
I downloaded the cvs snapshot as suggested and configured/compiled/installed the cvs snapshot up and unfortunately the problem is still there.
 [2003-04-09 21:18 UTC]
what is the value of the 'len' variable on step #4?
 [2003-04-13 10:43 UTC] travis at deakin dot edu dot au
side note: my 2.4.20 kernel was the reason I couldnt do a backtrace of either apache2 or apache .. 

I've confirmed that the bug is not present with apache 1.3.27 and php 4.2.1 ..
 [2003-04-23 04:09 UTC]
what is the value of the 'len' variable on step #4?

 [2003-04-23 06:22 UTC] travis at deakin dot edu dot au
I've had a lot of trouble producing a backtrace (ie I haven't been able to so far) as it no longer segment faults for me.. i just get a zero sized reply now.
 [2003-04-24 04:26 UTC]
What gives zero sized reply? Example script..?

 [2003-04-29 10:20 UTC]
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Feb 25 20:01:24 2021 UTC