|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44613 imap_headerinfo crashes when large int is passed as $[from|subject]_length arg
Submitted: 2008-04-02 15:20 UTC Modified: 2008-04-02 16:31 UTC
From: Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.2CVS-2008-04-02 (snap) OS: Windows XP
Private report: No CVE-ID: None
 [2008-04-02 15:20 UTC]
The crash in this case is due to lack of a sanity check on "fromlength" argument passed to imap_headerinfo().

In the php_imap.c code we have:

	zval **streamind, **msgno, **fromlength, **subjectlength, **defaulthost;
	pils *imap_le_struct;
	char dummy[2000], fulladdress[MAILTMPLEN];

were MAILTMPLEN is defined in mail.h as 1024. So stack space is allocated for  a buffer of 1024 bytes  to receive the "from" details which is retrieved by the following code:

mail_fetchfrom(fulladdress, imap_le_struct->imap_stream, Z_LVAL_PP(msgno), Z_LVAL_PP(fromlength));

mail_fetchfrom uses the "fromlength"  supplied on the imap_headerinfo() call to clear out part of the "fulladdress" buffer to spaces before copying the "from" string into it.
If the specified fromlength is greater than 1024 bytes (MAILTMPLEN) then storage over-writes will occur and data corruption or crashes will result.

The php_imap.c code needs to be changed to add a simple sanity check on the input argument. Something along the following lines. 

if (myargc >= 3) {
        if (Z_LVAL_PP(fromlength) < 0 ) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length has to be greater than or equal to 0");

        ---- start of new code -------
         if (Z_LVAL_PP(fromlength) > MAILTMPLEN ) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length must be less than or equal to %i bytes", MAILTMPLEN);
        ---- end of new code -----	
} else {
        fromlength = 0x00;

A similar check is also needed for "subjectlength" argument.

Reproduce code:
var_dump(imap_headerinfo($imap_stream, $msg_no, 12345, 12345));

Expected result:
Warning: imap_headerinfo(): From length must be less than or equal to %d bytes

Actual result:
PHP crash


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-04-02 16:31 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Feb 24 12:01:27 2024 UTC