php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #24150 imap_fetch_overview crashes with a very big address in From:
Submitted: 2003-06-12 09:23 UTC Modified: 2003-06-16 12:43 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: nuno at co dot sapo dot pt Assigned: iliaa
Status: Closed Package: IMAP related
PHP Version: 4.3.2 OS: Linux 2.4.x
Private report: No CVE-ID:
 [2003-06-12 09:23 UTC] nuno at co dot sapo dot pt
Description:
------------
I reproduced this bug with php 4.3.2 and 4.2.3, so this is not a new problem.

If you imap_fetch_overview() a mailbox with a message with an huge address in the To: field, php crashes.

The message on which I discovered this bug has the following From: field:

From: ctqbscittqlxpghclcooontnvlqgwnkheymoitwvkkyqykkwsqdrryumoreloyhnjjqdxtmcrcyjmqonmvmiqndryislkqsdyxeruecmggxgiwrydhyqxfeqkxqteyqjkhbvynhlijkwedtcqv
fctwxwktibgmhbbyjqwesbqujjpfekofjubmvvgjbiyfwvcuelfyortvjfgresluvkdywsqvgjowuyqoijcoripgtyrgxhmqluygircvswdtwqvisbwctunnxoxgpjjjlmfegnndyxdmlvtlvsyrtnvg
ryhkrtugmolpghxqnhqhrogmtwgbgtbkhdxgmvnrtghtqrtjcxwkcpypvvbwoqkjnftnmpvtxcrjbsirngvrrhchyrvxcojojdvebccptotftjdebmlppfvcfcunjpsusxoejtljrbyxeiegpmrhdpxr
kfwqljwxmuwjvxqgjtokmcpufqqrjullrrwsjyrqlsusgcnmddllslmvviluhiuyxspdcelwjqtnflmkdmyollkbcifvwuuumnoqjddloookgptdwhieioupxdmsuntlrttteltpikojyqyvioilspwp
orrmdxxiwkujvhjpvxjlyqhdmksbrleqqumfvwfvrbsvttooedmwrishdvxxvuvuhbvqudohenpeixyhcecrjitjtrtwbiqvfxqovonqkbhktgfjmbmkhwcfsxdfpfppetgqueecdfkqopjkboyqtjpb
eebptwhoekrqrsumtvcmigitdrpbbbsyjvpbfqqljykotgicicguivebbnwkecpbhwllkbkvsopggeghkcgxfidpmouvnmwhoknnkkxodpmogbxdthgvcjdwkyfydegjkvfkldfudfjktjpfbmlrmmwd
qrucdmbieoqqrvrwebgkwentrghfmgwjkgghnwqimibnmjixdpfrrcvquvuxyyhunqevhsbluyjflrdvbmqqcyfejrfptwqneeyjhddkrrddrbdrqmgehvpjosfhyehicfydujkbncmxgjklrvjuvpdf
dcxuyfhijukjodlvxbmejxrbderhmpjmqrgrfleqteovcibbwmttclwrysixflpjefbongjphojdyeftulmokkofthvfdspgjwfdnqbplbjqrhjppjkiwvvebeotjgwiuxwngxnlgikoqbmlgsxyymqw
ieprbpbnbpjcojrwkbdobyokxoyuievwvhgqedvtsvtwmlvjtjwnsrchgtmlfbwqtvtdljdhekwfwrnjsvocnprnprooeyotlosxrnygjnjdytkkfrmfmenfyfnnrqqsytlliwsjxyhvjgsvtlkejikx
rnoqwjqmydhtdytkonngsojhcmxkryklldbwsiiipiupovbftcpqhgbqbehfmirconfbslxkphykkrtcftwccddtlhtgrnqdimyqfmmyqiqucoejjgousurqmjpbtntbsgevkjbxmfoenwguitfdhyrw
rosinuyjuhkdhpeysrtssrwkeffeyrukinkyjhsuxxpntjedkjwqrebflcgnkhtlrekbtdnowvkvinjriodpxhguqrrjmvytnopvqjbxjqgeorghvljibnpibujfceikiggfmcwrbrtyunbhhpmhsfso
fwjlshgyxcmygfvuwfqreqmbvhcjqfbnwkguscxkjhfmlfvdgjgbiuqjxlpkqitmmobwscncybpyrtysjcjfxyyivxmgotbnkhfdfqjiyupvfqnceyhsedcwjqpkdigtqwklnlfmljgnydxsdpjctmjy
mfdsjsxtsbihxoubgxmedwjmiwqujiirftkmwhfqlcnqwqttbnxggurdpoevxuiummjgfwxubuiosfteqwbpshkfcdfctuuimouqmxbvmewbdheoooewkitbsloyrmvhvxgndtbdfuprgfsjvxiejrcf
rqrlrcurofmtgprmqgofuejbiohcvmrhrcsknkxykbdxtnnrxlvfeivlbbpvroqwcnkkfbxnxvmjytvmbkgihnwlqfvdepwekltjdutcgnpneppdqpgrpoxiglhpuyxkeemwsgffhncvnsjtsxwlmixu
bvgjonsedmcflxkhbkelugjusjpcnmnygyjfplufdtuyjjvvtvxlipflpdxxqeeqrftmrnpkbqmxswoqplegodygeedvbkukofwcfpjjhevbrupydwuskqxtsoocxkgjtnywiqeevvqddqfpxcbyoupt
qgtkshbeoyckcispjggignmmithhfvkntcfchfimdnyfgvkojtqcopjmuiluccilwokwddiobnmihdmhymrfnylgwkddjwjxkbjykqfodjwqxfxvvdtknpvlxxyvfpbrwfffcuwtrcllspeiuetyfvyh
fynqoxujnguryvkbhcdwdfdjmvubiiuglstincnhydtcmosxfnnwxienoyqbjgfplufgvmugenuuwwlmthpckwlqlrdyjpifuterhhfsmddbcnrpfxostusqttlbrxxotkfomcsnynpoltgbdcslbmyl
ecunxblsjxlfxfhgspedrnliijltidoepdyqdjsrsdtxxosceccxjlxuchckwjnyvmlbgsysqgyhcycbnuxxfotwsetbuxlyqcvtcyyyqfqbuuigkkwrvksotthueflvftgefebqovkwvugnkqxckjjn
ptjvltfpdsgkfepqhojmqpbohblberwghjkvjkcyrftcbrvytyinfclfglephosvgrbubphiolggsmnljjpovoyqntnmeqoedppqbjyintqygyywkfvpfcslhtfigltgqwwsfdxtlfdhnhmythjxlbor
brpmlrkmcrdcohyopmuxljdbqnjkhsuomwcufduqhmpwqdojmkdgnqtjgnsqbctmfcsrvpwmeibujvngkfusufupenjdijesxrimhvcejulgwrvfrrjbmjcsnselvvxwnbjdlcumioocvjfnyumwtben
njpbyufydmfnxlkfoubwkwvrtymhqqhcvqgheggvqmygfsscmrjoqssgpjrqmlhonwbdwyespnrymismboffrbndmufldlsknbotnbpsqcgtxrvygxqflxobdsdhjcubjclgriedkmrtdktbmjuuxvxh
thekrfbvujnlhnuqyltnggifprsusmuwvpdrftrlxjihnvcbwlvvsqibyxglxgponegnpqxrrsxhgrxyutetmndevledlchhcupnroenvypxfnptpewihprlunwybrsepbqyhlspysyoibdqoosqsdlx
dimxboneqlvkrvoridhgpbcndvljffegobhhgsdwvskprdybtfuonmxqtrvmpsqswjwhcxnqqgpfbhyklwgdtrwyrdwpwhhwliqjfekepjmsjvefhckjdmlibrgdsctmcqqkyvgdyjkvjwledvevojml
jnxorljxoumqxgwrlcmsordumgeuipxtvbbppyjphmoxnsskxcevvdqxbdtkmrohrtqdxflqjkdiuuyntnxxvjslxjesdrptsnvsobmndevrfxbbxselpnhhxpmgvwjihyfcumvembkmpoohthkqytmc
ndircukbvfjcjibwyxcfjpfefmvbvptrvnuslmbqsgxmsjhjfxsluwpxnywqiedsxhhgrhrknxxwxohgjmyfkllotfhkxjphinpbqmjoqklbulxyuhkssqfpndmsocwjwuqukfdssoxxfskxemklloxf
gdshjlvtgegjtyckqolnwmtxscotonjrynfynynsiioqnvklukpqtheekynfpxtvqrsgpvwiqdrmgvodoydsmycfqknrbupekvyqyudgdnnolqycjuhucyvbvjwncpxmcnhsyeeddwqkmpcpnrxyevbd
sgigcuimxbxgfldbesksuysjqmgwnkymyvjsecxmcmoqtccrhgshpnossinhlkroqnhemyegcvbmcbxoqfwnvugrmhcslwmchngdsipohlwuxukiyovcknkptmocwujuupopwfooqruqyqkdxqbnpgje
kcusklugjelxwiovqtlpycuukrrujfjrwsfxmmxtbxcouuxqbsyscodqhbnltyulixxjpnwnmumwtosdcurmgkfwvncrjbmqlrfpukhfukqovwfswxcwolhbkhcojumdkywhsghlkeisvigubfddfrbw
mylkhktydjnhektpqdspuedksonnsrfdghyugpncmgivfcsdiwqikmppkovtcpgvcjnppkyyhojtehxtmeukbgtnqrnpnrnmtudvsgpuoqfymrrnptogphygrghrejnfvrljddmqqhhwkrgctutwcitw
hklyesfnmxyekcuvemfedfvbrobtxnjxumejsqkiqkokjmcbnhfcfhwdckswevywhnghqvvcwdogkhbfplsb8fg49kw7dv54vg43hw33he37vk30sw20dc55fn56hm27co56ki44qs57qm54ej4xt55x
r68of78vf11ev5ek41cx25yf75ny8eh28ki41tt27wc11tk56rh68hm20qj28dv34rj11nh19rg77rp11ht11or25ny74mo65qg31pd25vm69tn59rr33nt42nk41bm71eh21xj58ty34hp51kj38ng4
6vt9ck66om30pq35id47if22cg61in40cu15gg51hr3fn27nk68su48ed42st65ph60ed35jk34tl29kw23mf7rf73dg53us40vk34eg57hw52hd61kj79uh8ch74bw77ow7xw11fq47of80uu25kr35
fm28qr50jv26nk14fr4md60ct8ou46mw53nj2pi43xy53un35lq70hc34os43yx57qo70ub62xm71xf66xr41wj47fr75ru48up21yq71ti61ol8xg13jk18lc1uj63en52px45qq73ku5qo67qw35fp
63oj16uc9wt46mn64kv47ci14yx71ul17wp34od33sh65nw71mc57sr48mv78uf22wx59om9cc33vy57eh63eo29ql74ki10no26sh59ph77gc5co45qm62ce72cv14jy27mw70nq43my4sk31sb20ef
13lb24xi4mg25cs68gv22bx20yp35nm16pw69qe77ds10yc33np74xw76nb34vc64yu73hy77co71ld49nu76dy19qe61kb20uk23nc34fs54mo70yv8or71mi50qp31vr57st26vf25pk61yh10ep69
ql78un62vi79on32sy34ny8nn70jo34tx51sw63mo3lc17kj45tg9el33vs22hf36gl64om9kk29xx30fs46of14dq53uj29wo18cd67mf43ps54su70hl3xl40bo49qq59mn31pp53hk49xt15fl40l
y42fg63jx22ox50xr5kg63rx45he63dw30qx1nu25wx14sh41jm27ss9gm77bu62sr1vv68pm45vf33ef10jy4xi6bj48cb22vc49ud29im73cq65yt72ho21ok3me16mu15my27fj2ig1vx44pn72he
57lb11xf6xe39vm60ns33os35nr55pe63sl50xv71jn22xy16ni70uj50kf67lq8dh32rm36rd53tq59xv49vx76cs10so25xp52hp73yb23bx7tu19im14gr5dm79sr79lx70gu47mj36xo78rj2nj3
me61ve59dj42wj71kg53dk56yc35qc30tg35di73bd62mc45ke23fs11jp46je42kq11jw35lw30hd12ww61yd77tl2wh11yp31fq20qc79xj38wq41sm70pt69rm19xu22ob32tr33ds62kd5wh65go
68bf24el45jn17dp50bd65ho15rk1rq39lo34nm67xx30ds77do3sd5qo12iy16sl34sq47ye7pb16rn54wr23li38hp33en77pp30xn14vr56ou67ph10hd76lv56ln54de73ty20ug43rs57xx45rn
26pn73eg23pg19lb60ys49ql50vc37bh24nx24jt62rd64rw14vs64mr16si53fn52gy51ln36un51lv9ur4fh37ex10hu29xm26jk6tr33td34kr42ic80lu3bh56jd45sx5oq50fy30gx57rc2gp79
st31nn34bl41sf56ld55mr46bo45fs1my60mp1ny30eb9do59nm50lj44rs64go61qm47rs48sy41gv55qe11gq76gh60ch19qt53yw17vb67wf42ox14lm71ff10yb74yn13jb37em39wn23yv63jo6
3ou18md51ln42bv78xe31ls10nm7jr39jv33fg33wj66uv65ci12ms35xi33jn27ju24ps45uk75fv54nb15um2ev33pc30st72mq69bg49nq77td67gj14mq19dm32pu53qu54fm49ws74uj41kb65q
l47jm13uy56oc2oc70rr64kp61mr49bl69bh34jm67yh62nl48fd73xw38sg13qg27lt8fs63lp58fk29fy66yq76yi80nb17jp33po17em58en22to36yp4ol67js62ml79gh75iu69bg8ro11se24p
f51gf43cy79iv79yc40br30fk71ck3vg58he27rb18lb63om37qh41oe33pg41kp76dl38tt27jj19nc12kk77qu19gk6wq62of66et67gl68vu51et27tk73sw15rg34ku78uf22qy70yt67cq38cx4
lt53bw2sf28ou31xc35bh47cq53gs42yl58by55vw26jh15cx51ux64je53co41st11xr52sd31jd8yo57et48ii74jn56le30dg33sx15fx6ll10sn32xe51cm29ys55lb70dl60tn59ps56no6mt72
kx40xl20bq32tt44ux40or61pb4cm67dh77fe25rf2uj49pr55dl21qc38kt58hw46lu24ug41ev58mu52ff68pb24jo6yi21en73wx43fm38od72tn8hi32nl67si14uu24bj60md33fc22dk41br61
yn37gx65un13qh75ff14ve78te60il41sr5cu11wf71fr13wf50px60yv57lk12nv40df58xw52qo67dk74qb3jj50xd46jw44ky70lr44fh73yh57dn3mi20ow22dw80oc59il61um76uo19pt69qk7
6of35gd64nf35if48cn22tf32vt54hm64mi5gj11gi15sc58ke6os80hg62tp63ty6ox52cq35fq16de46vi59qn64yg69jc39xs35oq78xu52sy8dr34ue59vj7jc40fo22fk6ud29vg21eo8dl13eo
62qx51sb58qn49pt36mq3rq8ed22xf48ll70it17vj14vu75yf71dp20ly7jn58yc58ns17jg17je73lh76bl74xm40cs74ej34ob27vi11xw50lt6sn20sn39cf59fw1se37ey37xh51pi2gp13op13
gp43dn38eg69nu75tt76je44ke44pf72vw56li70hb27kt53vm8jn42xf32bn44kq57wv36rb27bi15vv25fr10xt72nb35dx26yk62nr6cm55rh49cb67iu46eg46or49mt68go53fc4ur75lf57rj3
3rx62is14jr22gf20ut1bg24nh32vr78ml60ot17bw25ko8oh25ew70bv26mm44xo20uu53ic3tc63dh59kb13pe62qs20fu14ix27ug40fm19mu27ie5vd5pg10un59xt3tq65wl75ch40fk4mr49fj
28iw42qj53me19dg80xo7ui20ht9sj21sf57dj31yc34td25pd45xg50nm51ln47lw8kg57tk33dj54qd10ch3sc62ef38qu22pj52id66fk69ht64bm34gi57vx52yc60jy66sy79ry69bc48nb70wm
33mq45il7pq49jb3ig71jf51vf65mk58js41ck78gb18nj4qv44hq20mq4ru41wg59fc34mg71yl15sf1wf10sm79hh59hu44nr66tw76rf62mi3ge34ij56fi51bb39nl11jg77he39oj17qj72bp2v
t67nm34vr77rg71up34xi79on4jk63vo37wt55de56kt11ln21kl67ce15bw65qd20kt16jx52ps62uy28ji31nr51uf11ek58es45rr12te46yd72hu42hu65ys8iw22rh18yt56fg16ue1nm45fj27
be34vb23st51nj10pr22qu72sj25go15eq36uy24qf21mm47yq46dg76rl18hd67dw13cc7fk65rh69yx6kb69so43ni27rh26fq66bh27gc27pb13fp64op31ii36ib54wl13lr27ym16xj54hg38so
73ny67th78tm34yw71jn45ok7xe24jt34lg7sh15vj52xi63wt45lq48sn40ry38fe73nm43fk63fy53tn40jy23gx22rl4oy18oo57on62pn7pv77on17jf67we49kj27dt76dq55tf60bt76mc45hn
51st25jl78vt12wt68se41dh1gv60wu35ix5oy40od3ow78ko48jp27jb45nr33bi51em79qx19yl23gq54bi73kn21ln28gu70xg31wo35te50bw80vj52kj61pq57rl60bq46bf41dg47jd42sh38v
o54fo61ku40le45fj52dp54hn6gf40bp39jx58fy60sl46wt34tb30wc30ie7oe57qr71fq54rp15jr80hb23dj23xb4ml74vj59oj6uf37hx16uf25dv69pv59jk79lx7gn42cj3ky54di56cy38es9
fp7je13hq40mb24dd78dk16rh78de79yq74np64tj39ry37fq56qv19bl63ry4jb66lv38hn11qy58hu53xq74ur4cp3fi66xn43mm29iw32qg75hj26km58gg67hn67tk20we37bv80rq5qi37ed60m
r51uw63dr75mb22mj32pj9ku40dl11dv3fg55jy12dk22yj76dg66vd70tg9bp13mx64on58ko57km48wu61vp30mf18ic65gg61hg76gs59ob1kl32lb25he40cn45we54bu55ii41cg58ik23ol51j
f41qv72ps23yb40bd27rg17ic10mm4tr48sk30rh5op60te66ej7py75qk10bo71pf54ke28cq60ue74tf13pd13ff35sh39wb61mf37jk71tk13bo49nq64ov57fb46ir3tt69jr60jc54ex7yp42eh
73eu43db36vv18ux18vd31vi65sm64wo31et10tb45sf48vf51vq10ul62es4bd1my41qx61jj43pj74vw57kx64xr57mp20os37po28iy14vj52yi11kl52tt35tl29ru37nd51mu33pe21iw52hp20
to12kl37oj67dn10ou2uv9wc74il56ky19ok55df67lq47tl60wd50cx9si37ul47uv25vs67ld17ln37ms35gl4sy40rw65sl66rj32uq58qp21uk39mj26tx27qw26jx12ml34jf41wx50rh12dp34
mi19ey33xj54rj22tx60os40un31jf68cf26vl39pe35bt70jo42tc39pe67bj22do56jv8xh19yr72hg77vi71rj79bx50cp42vt8nj59no65qv28by71pk18cc17xr19th63tr49tm7vd21xb53kb3
gt71wo47gq79hq55ng18ho54lu40gk8rr12yn66vy18rl1vl78vx10dn74de31gl22mj63jx66gn2xt33ub64wv67it28ws31wr2cy3gq56lx5hy52rp49go78ri56jy77qo11wv48gw3sk46dl20ur7
6ej43fr78tf51yu6ew13vi39yg40jm64vj39uk45op24fu26js9bq39wb76ym79hi45bw35kt27wv48ft38cw74ei17jn2hb21vj51ke41yx18qe78qq48xd80hw50rx61gm58gu22ex68es41dl65ky
19in67dm80in66mm67qc34ym26cd45xj21jy11he64lm63or32yq38dk10wq49yk69kt45wm2oh27ew14nl10qt16no51ol38cg70hl54xt12ts45ct20q@centralopt.com





Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-06-12 09:59 UTC] sniper@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2003-06-16 08:33 UTC] nuno at co dot sapo dot pt
(gdb) bt
#0  0x80ed07a in zif_imap_fetch_overview (ht=1717791080, return_value=0x6a756479, this_ptr=0x636e626b, return_value_used=1785165933)
    at /servers/sources/php-4.3.2/ext/imap/php_imap.c:224
#1  0x65796866 in ?? ()
Cannot access memory at address 0x736f6a70.
(gdb)
 [2003-06-16 08:40 UTC] sniper@php.net
Did you configure PHP with --enable-debug??
If not, please do it. And remember to delete config.cache before running configure again.

Also, which c-client version are you using?

 [2003-06-16 09:09 UTC] nuno at co dot sapo dot pt
Checking imap_fetch_overview() function source code (php_imap.c, line 2666) we can see that the address variable is an array with a length of MAILTMPLEN (defined in phplib as 1024, I think).

Well, this from address has around 10k length, so seems obvious what's happening.

Why doesn't php truncate the from address as it does in imap_headerinfo() ?

Note: This is just speculation. I'm not really sure about what I'm talking about since I never looked at the php sources, and don't code C for some years now. :)
 [2003-06-16 09:28 UTC] nuno at co dot sapo dot pt
No, I didn't recompile it with --enable-debug.
With PHP 4.3.2 I used an hacked c-client.

*But* before I submitted the bug I tryed it in my laptop which runs PHP 4.2.3 installed via apt-get and it also segfaulted.

$ dpkg -l php* | grep IMAP
ii  php4-imap      4.2.3-9        IMAP module for php4

$ dpkg -S /usr/include/c-client/mail.h
libc-client2001-dev: /usr/include/c-client/mail.h
 [2003-06-16 12:43 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 13:01:59 2014 UTC