php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44663 Crash in imap_mail_compose if "body" parameter invalid
Submitted: 2008-04-07 14:53 UTC Modified: 2008-04-08 00:03 UTC
From: jmessa@php.net Assigned: iliaa
Status: Closed Package: Reproducible crash
PHP Version: 5.2CVS-2008-04-07 (snap) OS: Windows XP
Private report: No CVE-ID:
 [2008-04-07 14:53 UTC] jmessa@php.net
Description:
------------
If imap_mail_compose is called with a "body" parameter which is NOT an indexed array of body parts where each body part is itself an associative array (as per php.net manual description here: (http://uk2.php.net/manual/en/function.imap-mail-compose.php) then a crash can occur. 
I would expect the code to detect that the passed "body" array is invalid and return FALSE with a warning message; instead we crash around line 3156

Although the code verifies that the first body part is itself an array without problems, if it's not an array then it's ignored. This then leads to a crash because the variable "bod" is not initialized when processing the first body part. We then crash when processing the 2nd body part in the following code:

   		if (!toppart) {
			bod->nested.part = mail_newbody_part(); <<< CRASH HERE as "bod" is NULL
			mypart = bod->nested.part;
			toppart = 1;
		} else {
			mypart->next = mail_newbody_part();
			mypart = mypart->next;
		}


I believe the code should detect when a body part is not an array and report an error rather than just skipping over the body part.

The check at line 3049 which checks that the body part is an array needs to report an error if it isn't, i.e change code as follows:

   if (Z_TYPE_PP(data) != IS_ARRAY) {
	php_error_docref(NULL TSRMLS_CC, E_WARNING, "body part parameter must be an array");
	RETURN_FALSE;
} else {
	bod = mail_newbody();
	topbod = bod;
.. etc


I'm also not sure about the check at around line 3148; skipping over body parts here which are not arrays will not result in a crash  but code should probably report a similar error anyway.

Reproduce code:
---------------
<?php
$envelope["from"]= "foo@anywhere.com";
$envelope["to"] = "webmaster@something.com";
$envelope["subject"] = "Test msg 1";

$part2["type"] = TYPETEXT;
$part2["subtype"] = "plain";
$part2["description"] = "imap_mail_compose() function";
$part2["contents.data"] = "Crash in imap_mail_compose if first element of bofy array not an array"; 

$body[1] = NULL;
$body[2] = $part2;

var_dump(imap_mail_compose($envelope, $body));
?>

Expected result:
----------------
FALSE return with warning msg.

Actual result:
--------------
Exception at around line 3156

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-04-08 00:03 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 06:02:27 2014 UTC