PHP :: Bug #58047 :: infinite loop and/or mem. corruption after calling mailparse_msg_get_part

Bug #58047	infinite loop and/or mem. corruption after calling mailparse_msg_get_part_data
Submitted:	2008-02-20 02:54 UTC	Modified:	2008-03-03 13:38 UTC
From:	mpb dot mail at gmail dot com	Assigned:
Status:	Closed	Package:	mailparse (PECL)
PHP Version:	5.2.1	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mpb dot mail at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2008-02-20 02:54 UTC] mpb dot mail at gmail dot com

Description:
------------
I have a function similar to the following:

function part_data ($headers) {
  $msg = mailparse_msg_create ();
  mailparse_msg_parse ($msg, $headers);
  $part = mailparse_msg_get_part ($msg, '1');
  $part_data = mailparse_msg_get_part_data ($part);
  return $part_data; }

After calling this function (but not immediately after), PHP will infinite loop and/or the contents of $part_data will be corrupted.

I believe the reason for this is that $msg goes out of scope and gets garbage collected, which frees the $msg resource.  As part of freeing the $msg resource, I believe that the $part_data array (or perhaps one of the sub-arrays it contains) gets garbage collected prematurely.

The reason I believe this is that if I recursively copy $part_data, and then return the copy, everything works fine.  I therefore  suspect there is a reference counting bug inside of the mailparse extension.

The only reproduce code I have at present is part of a 900 line application.  I have not tried to create a small example that demonstrates the bug, but I might be able to do so if that would help you.

Thanks!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-03-02 21:51 UTC] alan at akbkhome dot com

The extra delref on this line causes segfault on multi-line header entries
php_mailparse_mime.c:456  ZVAL_DELREF(*zheaderval);
- removing this line appears to fix the problem.

[2008-03-03 13:38 UTC] shire@php.net

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 13:01:30 2024 UTC