PHP :: Bug #56742 :: Segfault when calling MimeMessage::get

Bug #56742	Segfault when calling MimeMessage::get_child() in OO mode.
Submitted:	2005-12-22 14:10 UTC	Modified:	2007-11-27 15:02 UTC
From:	bert at procurios dot nl	Assigned:
Status:	Closed	Package:	mailparse (PECL)
PHP Version:	5.0.5	OS:	Linux Debian Sarge x86_64
Private report:	No	CVE-ID:	None

View Developer Edit

[2005-12-22 14:10 UTC] bert at procurios dot nl

Description:
------------
Segfault when calling MimeMessage::get_child() in OO mode.

Reproduce code:
---------------
$MimePart = new MimeMessage('var', $buffer);
$n = $MimePart->get_child_count();
if ($n > 0) {
  for ($i = 0; $i < $n; $i++) {
    $ChildPart = $MimePart->get_child($i);
  }
}

Expected result:
----------------
No segfault

Actual result:
--------------
[Thu Dec 22 19:59:41 2005] [notice] child pid 635 exit signal Segmentation fault (11)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-12-22 14:26 UTC] bert at procurios dot nl

Changed summary

[2005-12-22 14:52 UTC] bs at procurios dot nl

www13:~/test# cat test.php
<?php

$MimePart = new MimeMessage('file', "mail.txt");
$n = $MimePart->get_child_count();
if ($n > 0) {
  for ($i = 0; $i < $n; $i++) {
    $ChildPart = $MimePart->get_child($i);
  }
}

?>
---

www13:~/test# php test.php
Segmentation fault

---

mail.txt:

Return-Path: Admin <admin@www15.procurios.nl>
Date: Thu, 22 Dec 2005 18:18:00 +0100
From: Admin <admin@www15.procurios.nl>
User-Agent: Procurios ProBase 2.1
MIME-Version: 1.0
To: Sent to mailinglist <admin@www15.procurios.nl>
Subject:
Message-ID: 8fa04a4e9ec6b997cb7d91391cb2ab48d80ae166@www15.procurios.nl
X-ProBase-MLID: 18
X-ProBase-Pers: 1
Content-Type: multipart/alternative; boundary="-----cbc5ea39c3de209c01f92f00543a41563932eb96"


-------cbc5ea39c3de209c01f92f00543a41563932eb96
Content-Type: text/plain;
 charset="ISO-8859-1";
 format="flowed"
Content-Transfer-Encoding: 7bit

-------cbc5ea39c3de209c01f92f00543a41563932eb96
Content-Type: text/html;
 charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit


-------cbc5ea39c3de209c01f92f00543a41563932eb96--

[2006-10-10 15:53 UTC] judas dot iscariote at gmail dot com

works for me applying this patch.

http://pecl.php.net/bugs/bug.php?id=7722

[2006-10-13 11:11 UTC] jon at gamingsolutions dot ca

Same bug. Debian Sarge x86_64 kernel only, most binaries are i386 including PHP and mailparse.so, so 64-bit patch shouldn't be required (system is essentially i386).

I can't get it to segfault with the test message provided below, but it segfaults with basically any other MIME email with attachments - I tried various test cases that we have, which include messages from apple's mail.app and Mozilla Thunderbird 1.5.

Segfaults with and without the 64-bit patch. PHP Version 5.1.6, mailparse 2.1.1 (compiled with '-O -g').

Here's a backtrace produced by the message from Thunderbird (others produce same bt), with the test PHP code provided by bs at procurios dot nl:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1438708096 (LWP 32020)]
0x082f52b9 in zend_hash_quick_find ()
(gdb) bt
#0  0x082f52b9 in zend_hash_quick_find ()
#1  0x08303516 in zend_get_property_info ()
#2  0x08303b3e in zend_std_read_property ()
#3  0x082ef79f in add_property_zval_ex ()
#4  0x5603a1bd in mailparse_mimemessage_populate (part=0x0, object=0x0) at /root/mailparse-2.1.1/mailparse.c:200
#5  0x5603a27e in mailparse_mimemessage_export (part=0x86bdd74, object=0x86bdd74) at /root/mailparse-2.1.1/mailparse.c:221
#6  0x5603ab0d in zif_mailparse_mimemessage_get_child (ht=1, return_value=0x86bdd74, return_value_ptr=0x0, this_ptr=0x86cc9d4, return_value_used=1)
    at /root/mailparse-2.1.1/mailparse.c:374
#7  0x08307e04 in execute ()
#8  0x08307588 in execute ()
#9  0x082ec35a in zend_execute_scripts ()
#10 0x082ac90b in php_execute_script ()
#11 0x08377a4d in main ()

[2006-10-14 07:11 UTC] judas dot iscariote at gmail dot com

I have done the same test of yours against a 64bit patched mailparse with current PHP 5_2 and I get the expected results..

[2007-07-19 18:17 UTC] jon at gamingsolutions dot ca

It looks like a possibly Debian-specific bug.

I thought the bug disappeared in PHP 5.2 - I had compiled it for myself on my workstation (gentoo), where it worked fine - so I developed some code using mailparse. When going back to the Debian servers (now with 5.2.0), it still occurs.

The full backtrace with all debug symbols follows. For reference, the value of ht->arBuckets on the segfaulting line (p = ht->arBuckets[nIndex]) is:

(gdb) print ht->arBuckets:
$9 = (Bucket **) 0x0

Full backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1438687552 (LWP 17387)]
0x082aa662 in zend_hash_quick_find (ht=0x5655f7ac, arKey=0x565877d8 "data", nKeyLength=<error type>, h=<error type>, pData=0xffff8cf8)
    at /home/janderson/build/php5-5.2.0/Zend/zend_hash.c:881
warning: Source file is more recent than executable.
881             p = ht->arBuckets[nIndex];
(gdb) bt full
#0  0x082aa662 in zend_hash_quick_find (ht=0x5655f7ac, arKey=0x565877d8 "data", nKeyLength=<error type>, h=<error type>, pData=0xffff8cf8)
    at /home/janderson/build/php5-5.2.0/Zend/zend_hash.c:881
        p = (Bucket *) 0x38
        ht = (HashTable *) 0x0
        nKeyLength = <error type>
#1  0x082ba746 in zend_get_property_info (ce=0x5655f740, member=0x565877c0, silent=0) at /home/janderson/build/php5-5.2.0/Zend/zend_object_handlers.c:196
        property_info = (zend_property_info *) 0x0
        scope_property_info = (zend_property_info *) 0x20
        denied_access = 86 'V'
        h = <error type>
        member = (zval *) 0x565877c0
#2  0x082bc86d in zend_std_write_property (object=0x56587250, member=0x565877c0, value=0x5658731c) at /home/janderson/build/php5-5.2.0/Zend/zend_object_handlers.c:386
        zobj = (zend_object *) 0x565872b0
        tmp_member = (zval *) 0x0
        variable_ptr = (zval **) 0x5655e148
        property_info = (zend_property_info *) 0x56587250
        member = (zval *) 0x565877c0
#3  0x082a28ac in add_property_zval_ex (arg=0x56587250, key=0x5655e148 "data", key_len=<error type>, value=0x5658731c) at /home/janderson/build/php5-5.2.0/Zend/zend_API.c:1411
        z_key = (zval *) 0x565877c0
        arg = (zval *) 0x56587250
        key = 0x0
        value = (zval *) 0x0
#4  0x56555fab in mailparse_mimemessage_populate (part=0x5657cd34, object=0x56587250) at /root/mailparse-2.1.1/mailparse.c:200
        tmp = (zval *) 0x5658731c
#5  0x56556082 in mailparse_mimemessage_export (part=0x5657cd34, object=0x56587250) at /root/mailparse-2.1.1/mailparse.c:221
        zpart = (zval *) 0x56587268
#6  0x56556977 in zif_mailparse_mimemessage_get_child (ht=1, return_value=0x56587250, return_value_ptr=0x0, this_ptr=0x56587238, return_value_used=1)
    at /root/mailparse-2.1.1/mailparse.c:374
        part = (php_mimepart *) 0x5657c480
        foundpart = (php_mimepart *) 0x5657cd34
        item_to_find = (zval **) 0x55c0b8c4
#7  0x082cf9ef in zend_do_fcall_common_helper_SPEC (execute_data=0xffff912c) at /home/janderson/build/php5-5.2.0/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0x5657ab84
        original_return_value = (zval **) 0x56587250
        current_scope = (zend_class_entry *) 0x55c3549c
        current_this = (zval *) 0x5657c114
        should_change_scope = 1 '\001'
#8  0x082bf3e8 in execute (op_array=0x56579e7c) at /home/janderson/build/php5-5.2.0/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x5657ab84, function_state = {function_symbol_table = 0x55c28264, function = 0x8670808, reserved = {0x82ac896, 0x8524320, 0x8524320, 
      0x56579ac0}}, fbc = 0x8670808, op_array = 0x56579e7c, object = 0x56587238, Ts = 0xffff8f70, CVs = 0xffff8f40, original_in_execution = 1 '\001', symbol_table = 0x55c349bc, 
  prev_execute_data = 0xffff94ec, old_error_reporting = 0x0}
#9  0x082cf3d1 in zend_do_fcall_common_helper_SPEC (execute_data=0xffff94ec) at /home/janderson/build/php5-5.2.0/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x56579b28
        original_return_value = (zval **) 0xffff912c
        current_scope = (zend_class_entry *) 0x55c3549c
        current_this = (zval *) 0x5657c114
        should_change_scope = 1 '\001'
#10 0x082bf3e8 in execute (op_array=0x5656b508) at /home/janderson/build/php5-5.2.0/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x56579b28, function_state = {function_symbol_table = 0x55c349bc, function = 0x56579e7c, reserved = {0xffff9548, 0x82abf21, 0x5657c2cc, 
      0x5656aa5c}}, fbc = 0x56579e7c, op_array = 0x5656b508, object = 0x5657c114, Ts = 0xffff9280, CVs = 0xffff9260, original_in_execution = 1 '\001', symbol_table = 0x55c242e4, 
  prev_execute_data = 0xffffb80c, old_error_reporting = 0x0}
#11 0x082cf3d1 in zend_do_fcall_common_helper_SPEC (execute_data=0xffffb80c) at /home/janderson/build/php5-5.2.0/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x55c16454
        original_return_value = (zval **) 0xffff94ec
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        should_change_scope = 1 '\001'
#12 0x082bf3e8 in execute (op_array=0x55c13de0) at /home/janderson/build/php5-5.2.0/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x55c16454, function_state = {function_symbol_table = 0x55c242e4, function = 0x5656b508, reserved = {0xffffb838, 0x8297cec, 0x55c13e74, 
      0xffffdc40}}, fbc = 0x5656b508, op_array = 0x55c13de0, object = 0x5657c114, Ts = 0xffff96b0, CVs = 0xffff9620, original_in_execution = 0 '\0', symbol_table = 0x854b7b0, 
  prev_execute_data = 0x0, old_error_reporting = 0x0}
#13 0x082a05bc in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/janderson/build/php5-5.2.0/Zend/zend.c:1097
        files = 0xffffb954 ""
        i = 1
---Type <return> to continue, or q <return> to quit---
        file_handle = (zend_file_handle *) 0xffffb80c
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        local_retval = (zval *) 0x0
#14 0x0825b882 in php_execute_script (primary_file=0xffffdc40) at /home/janderson/build/php5-5.2.0/main/main.c:1758
        realfile = "/home/janderson/svntree/trunk/include/mail/parser.php\000t_para<&#65533;\231U\000p\231U&#65533;&#65533;VU&#65533;&#65533;VU\001\000\000\000\020&#65533;&#65533;&#65533;&#65533;\002VU&#65533;&#65533;VU`{\231U\001\000\000\000\001\000\000\000\000\000\000\000\001\033\a\b&#65533;\177\237U\000\000\000\000&#65533;ER\b<&#65533;\231U CR\b&#65533;_&#65533;U&#65533;c&#65533;U(&#65533;&#65533;&#65533;&#65533;&#65533;\236U&#65533;c&#65533;U CR\b&#65533;&#65533;T\b&#65533;&#65533;T\bH&#65533;&#65533;&#65533;&#65533;9&\b&#65533;c&#65533;U&#65533;&#65533;&#65533;&#65533;\002\000\000\000 CR\b CR\b&#65533;&#65533;T\b\b&#65533;&#65533;&#65533;"...
        __orig_bailout = (jmp_buf *) 0xffffdb0c
        __bailout = {{__jmpbuf = {139608864, 139769568, -9660, -9608, -18112, 136689446}, __mask_was_saved = 0, __saved_mask = {__val = 0x1c}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, 
      interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, 
      interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0xffffb960 ""
        retval = 0
#15 0x0832f75e in main (argc=2, argv=0xffffdd14) at /home/janderson/build/php5-5.2.0/sapi/cli/php_cli.c:1108
        __bailout = {{__jmpbuf = {139608864, 1, 0, -9080, -9600, 137555097}, __mask_was_saved = 0, __saved_mask = {__val = 0x1c}}}
        exit_status = 0
        c = 0
        file_handle = {type = 2 '\002', filename = 0xffffde2b "include/mail/parser.php", opened_path = 0x55c13da0 "&#65533;[G9\023", handle = {fd = 140964184, fp = 0x866f158, stream = {
      handle = 0x866f158, reader = 0x82b4930 <zend_stream_stdio_reader>, closer = 0x82b4900 <zend_stream_stdio_closer>, fteller = 0x82b48d0 <zend_stream_stdio_fteller>, 
      interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x0
        script_file = 0xffffde2b "include/mail/parser.php"
        interactive = 0
        module_started = 0
        request_started = 5
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110
        argc = 2
        argv = (char **) 0xffffdd14

[2007-11-25 23:40 UTC] shire@php.net

Could someone confirm if this still an issue with the latest release?

[2007-11-26 02:20 UTC] probase at procurios dot nl

Confirm fixed in PHP 5.2.5 + mailparse 2.1.2

[2007-11-27 15:02 UTC] shire@php.net

Thank you for your bug report. This issue has been fixed
in the latest released version of the package, which you can download at
http://pecl.php.net/get/mailparse

Thanks!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Dec 30 14:01:28 2024 UTC