php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32158 imap_headerinfo() function can crash
Submitted: 2005-03-02 00:51 UTC Modified: 2005-03-18 01:00 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: matti dot aarnio at kv9 dot net Assigned:
Status: No Feedback Package: IMAP related
PHP Version: 5.0.3 OS: Solaris 8
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-03-02 00:51 UTC] matti dot aarnio at kv9 dot net
Description:
------------
We have php-4.3.10  and  php-5.0.3 crashing in identical manner.  That isn't surprising given that relevant code inside PHPs is identical.

C-Client -library is from UW-IMAP 2004c1, and oldish IMP script is asking for headers of following message:
(addresses obfuscated, but structure left intact)


From Oooo.Nnnnnnnnn@uuu.fi Tue Oct 12 17:18:14 2004
Received: from mx4.uuu.fi ([193.167.224.118]:48474 "EHLO mx4.uuu.fi"
        TLS-CIPHER: <none>) by mail.dnainternet.net with ESMTP
        id S199057AbUJLOSO (ORCPT <rfc822;mmmmmmmm.kkkkk@dnainternet.net>);
        Tue, 12 Oct 2004 17:18:14 +0300
Received: from localhost (localhost.localdomain [127.0.0.1])
        by mx4.uuu.fi (8.12.10/8.12.10) with ESMTP id i9CEIC9I018154
        for <mmmmmmm.kkkkkkk@dnainternet.net>; Tue, 12 Oct 2004 17:18:12 +0300
From:   "Oooo Nnnnnnnn" <Oooo.Nnnnnnnn@uuu.fi>
To:     "=?ISO-8859-1?Q?mmmmm.pppppp=E4inen@kkkkkk.fi?=" 
         =?ISO-8859-1?Q?=20<mmmmmmm.ppppp=E4in?=  =?ISO-8859-1?Q?en@kkkkkk.fi>?=
Date:   Tue, 12 Oct 2004 17:18:08 +0300
MIME-Version: 1.0
Subject: =?ISO-8859-1?Q?kfjsdkfjksdjfksdjfk_dsfsdfds=E4sfsdfsdf_28.10._sfsdfdsfsdf=E4
_sdfsdfsd_sdfsdf_sdfsdfs?=
CC:     mmmmm.kkkkkk@dnainternet.net
Message-ID: <416C11D0.26047.1A133C5@localhost>
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: Quoted-printable
Content-description: Mail message body


A debug session gave functional libphp, when I preallocated excessively large string spaces in the php_imap.c::_php_imap_parse_address()  function.
Throwing in an extra kilobyte safety buffer for malloc()s just in case does not match my idea of sensible code, however.  (Nor does it feel _safe_.)

Used C-Client API is an abomination in itself, its caller must have sufficient buffer space, but there is no way to ask it to tell of how much must be allocated, and while PHP tries do figure that out, under some conditions with abnormal input it fails miserably, and the  rfc822_write_address()  will scribble over the end of malloc()ed buffer space, along with all merryment that such things cause...


The least harm that happens is heap corruption, and Apache/PHP instance crashing.
Can it lead to execution of arbitrary code in apache, that I won't speculate about.


Reproduce code:
---------------
Oldish IMP installation calling   imap_headerinfo().
Any PHP-webmail setup should do with IMAP access to message store.



Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0xff1c158c in _malloc_unlocked () from /usr/lib/libc.so.1
(gdb) where
#0  0xff1c158c in _malloc_unlocked () from /usr/lib/libc.so.1
#1  0xff1c1414 in malloc () from /usr/lib/libc.so.1
#2  0xfefdc060 in _emalloc (size=44) at /home/mea/src/php-4.3.10/Zend/zend_alloc.c:164
#3  0xfeff140c in zend_hash_add_or_update (ht=0x4d8458, arKey=0xff0af130 "personal", 
    nKeyLength=9, pData=0xffbe3d1c, nDataSize=4, pDest=0x0, flag=1)
    at /home/mea/src/php-4.3.10/Zend/zend_hash.c:275
#4  0xfefefd74 in add_property_string_ex (arg=0x4cf8d0, key=0xff0af130 "personal", 
    key_len=9, 
    str=0x4bacf0 "=?ISO-8859-1?Q?mmmmm.pppppp=E4inen@kkkkkk.fi?=          =?ISO-8859-1?Q?=20", duplicate=1) at /home/mea/src/php-4.3.10/Zend/zend_API.c:980
#5  0xfef1105c in _php_imap_parse_address (addresslist=0xffbe3d94, fulladdress=0x290, 
    paddress=0x4cf8f8) at /home/mea/src/php-4.3.10/ext/imap/php_imap.c:3701
#6  0xfef112f4 in _php_make_header_object (myzvalue=0x4d02a0, en=0x4bac90)
    at /home/mea/src/php-4.3.10/ext/imap/php_imap.c:3733
#7  0xfef07f78 in zif_imap_headerinfo (ht=4957520, return_value=0x4d02a0, this_ptr=0x0, 
    return_value_used=1) at /home/mea/src/php-4.3.10/ext/imap/php_imap.c:1506
#8  0xfefffba8 in execute (op_array=0x373880)
    at /home/mea/src/php-4.3.10/Zend/zend_execute.c:1642
#9  0xfefed900 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/mea/src/php-4.3.10/Zend/zend.c:900
#10 0xfefbeb98 in php_execute_script (primary_file=0xffbef620)
    at /home/mea/src/php-4.3.10/main/main.c:1736
#11 0xff0061f4 in apache_php_module_main (r=0x1cc7b8, display_source_mode=0)
    at /home/mea/src/php-4.3.10/sapi/apache/sapi_apache.c:54
#12 0xff00726c in send_php (r=0x1cc7b8, display_source_mode=0, filename=0x0)
    at /home/mea/src/php-4.3.10/sapi/apache/mod_php4.c:621
#13 0xff007310 in send_parsed_php (r=0x1cc7b8)
    at /home/mea/src/php-4.3.10/sapi/apache/mod_php4.c:636
#14 0x843c0 in ap_invoke_handler ()
#15 0xa26dc in process_request_internal ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-04 16:39 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip


 [2005-03-18 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Oct 26 16:01:23 2020 UTC