php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58047 infinite loop and/or mem. corruption after calling mailparse_msg_get_part_data
Submitted: 2008-02-20 02:54 UTC Modified: 2008-03-03 13:38 UTC
From: mpb dot mail at gmail dot com Assigned:
Status: Closed Package: mailparse (PECL)
PHP Version: 5.2.1 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mpb dot mail at gmail dot com
New email:
PHP Version: OS:

 

 [2008-02-20 02:54 UTC] mpb dot mail at gmail dot com
Description:
------------
I have a function similar to the following:

function part_data ($headers) {
  $msg = mailparse_msg_create ();
  mailparse_msg_parse ($msg, $headers);
  $part = mailparse_msg_get_part ($msg, '1');
  $part_data = mailparse_msg_get_part_data ($part);
  return $part_data; }

After calling this function (but not immediately after), PHP will infinite loop and/or the contents of $part_data will be corrupted.

I believe the reason for this is that $msg goes out of scope and gets garbage collected, which frees the $msg resource.  As part of freeing the $msg resource, I believe that the $part_data array (or perhaps one of the sub-arrays it contains) gets garbage collected prematurely.

The reason I believe this is that if I recursively copy $part_data, and then return the copy, everything works fine.  I therefore  suspect there is a reference counting bug inside of the mailparse extension.

The only reproduce code I have at present is part of a 900 line application.  I have not tried to create a small example that demonstrates the bug, but I might be able to do so if that would help you.

Thanks!


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-02 21:51 UTC] alan at akbkhome dot com
The extra delref on this line causes segfault on multi-line header entries
php_mailparse_mime.c:456  ZVAL_DELREF(*zheaderval);
- removing this line appears to fix the problem.
 [2008-03-03 13:38 UTC] shire@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Tue Feb 18 04:01:28 2025 UTC