php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44613 imap_headerinfo crashes when large int is passed as $[from|subject]_length arg
Submitted: 2008-04-02 15:20 UTC Modified: 2008-04-02 16:31 UTC
From: jmessa@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.2CVS-2008-04-02 (snap) OS: Windows XP
Private report: No CVE-ID:
 [2008-04-02 15:20 UTC] jmessa@php.net
Description:
------------
The crash in this case is due to lack of a sanity check on "fromlength" argument passed to imap_headerinfo().

In the php_imap.c code we have:

PHP_FUNCTION(imap_headerinfo)
{
	zval **streamind, **msgno, **fromlength, **subjectlength, **defaulthost;
	pils *imap_le_struct;
	MESSAGECACHE *cache;
	ENVELOPE *en;
	char dummy[2000], fulladdress[MAILTMPLEN];


were MAILTMPLEN is defined in mail.h as 1024. So stack space is allocated for  a buffer of 1024 bytes  to receive the "from" details which is retrieved by the following code:

mail_fetchfrom(fulladdress, imap_le_struct->imap_stream, Z_LVAL_PP(msgno), Z_LVAL_PP(fromlength));

mail_fetchfrom uses the "fromlength"  supplied on the imap_headerinfo() call to clear out part of the "fulladdress" buffer to spaces before copying the "from" string into it.
If the specified fromlength is greater than 1024 bytes (MAILTMPLEN) then storage over-writes will occur and data corruption or crashes will result.

The php_imap.c code needs to be changed to add a simple sanity check on the input argument. Something along the following lines. 

if (myargc >= 3) {
        convert_to_long_ex(fromlength);
        if (Z_LVAL_PP(fromlength) < 0 ) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length has to be greater than or equal to 0");
                RETURN_FALSE;
        }

        ---- start of new code -------
         if (Z_LVAL_PP(fromlength) > MAILTMPLEN ) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length must be less than or equal to %i bytes", MAILTMPLEN);
                RETURN_FALSE;
        }	
        ---- end of new code -----	
} else {
        fromlength = 0x00;
}

A similar check is also needed for "subjectlength" argument.


Reproduce code:
---------------
<?php
var_dump(imap_headerinfo($imap_stream, $msg_no, 12345, 12345));
?>

Expected result:
----------------
Warning: imap_headerinfo(): From length must be less than or equal to %d bytes
bool(false)

Actual result:
--------------
PHP crash

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-04-02 16:31 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 17:01:58 2014 UTC