php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26909 Apache crashes when non rfc2047 string is passed to imap_mime_header_decode
Submitted: 2004-01-14 14:32 UTC Modified: 2004-01-14 19:31 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kristijonas dot siaulys at delfi dot lt Assigned:
Status: Closed Package: Reproducible crash
PHP Version: Irrelevant OS: FreeBSD 5.1, RedHat 7.3
Private report: No CVE-ID:
 [2004-01-14 14:32 UTC] kristijonas dot siaulys at delfi dot lt
Description:
------------
imap_mime_header_decode can't handle RFC2047 encoded strings where encoding is not 'Q' or 'B' (qprint, base64).
If another letter is specified then Apache exits on signal 6. This is due to usage of fs_give() where it shouldn't be.
The bug is located in ext/imap/php_imap.c.
As I've noticed all PHP versions suppoting imap_mime_header_decode funcion have this bug.

Here is a fix patch:
--- ext/imap/php_imap.c.orig	Thu Sep  4 10:48:30 2003
+++ ext/imap/php_imap.c	Wed Jan 14 19:23:09 2004
@@ -3511,6 +3511,7 @@
 	char *string, *charset, encoding, *text, *decode;
 	long charset_token, encoding_token, end_token, end, offset=0, i;
 	unsigned long newlength;
+	int valid_encoding;
 
 	if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &str) == FAILURE) {
 		ZEND_WRONG_PARAM_COUNT();
@@ -3550,11 +3551,14 @@
 						memcpy(text, &string[encoding_token + 3], end_token - (encoding_token + 3));	/* Extract text */
 						text[end_token - (encoding_token + 3)] = 0x00;
 						decode = text;
+						valid_encoding=0;
 						if (encoding == 'q' || encoding == 'Q') {	/* Decode 'q' encoded data */
 							for(i=0; text[i] != 0x00; i++) if (text[i] == '_') text[i] = ' ';	/* Replace all *_' with space. */
 							decode = (char *)rfc822_qprint((unsigned char *) text, strlen(text), &newlength);
+							valid_encoding=1;
 						} else if (encoding == 'b' || encoding == 'B') {
 							decode = (char *)rfc822_base64((unsigned char *) text, strlen(text), &newlength); /* Decode 'B' encoded data */
+							valid_encoding=1;
 						}
 						if (decode == NULL) {
 							efree(charset);
@@ -3566,7 +3570,7 @@
 						add_property_string(myobject, "charset", charset, 1);
 						add_property_string(myobject, "text", decode, 1);
 						zend_hash_next_index_insert(Z_ARRVAL_P(return_value), (void *)&myobject, sizeof(zval *), NULL);
-						fs_give((void**)&decode);
+						if(valid_encoding) fs_give((void**)&decode);
 						
 						offset = end_token+2;
 						for (i = 0; (string[offset + i] == ' ') || (string[offset + i] == 0x0a) || (string[offset + i] == 0x0d); i++);


Reproduce code:
---------------
imap_mime_header_decode("=?whatever?not_q_or_b?whatever?=");

As this function is mostly used in webmail systems to decode subjects, by sending an email with malicious subject can make users mailbox innacessible via that webmail application (as message subject listing would crash apache).


Expected result:
----------------
I expect this function to decode text 'whatever' to 'whatever' and not to crash Apache.
The code does that, but double 'free' at the end crashes Apache and no resut is returned.

Actual result:
--------------
Apache child exited on signal 6.

This is beacuse such malformed string causes such code sequence (in ext/imap/php_imap.c):
1. text = emalloc(size);
2. decoded = text;
3. fs_give(decoded);
4. efree(text);

notice two 'free' at the end.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-01-14 18:05 UTC] kristijonas dot siaulys at delfi dot lt
p.s. on Linux crash code is 'exit signal Segmentation fault (11)'
and the patch I've provided is diff'ed on PHP 4.3.4 but it should apply on other versions too.
 [2004-01-14 19:31 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 12:02:07 2014 UTC