php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72852 imap_mail null dereference
Submitted: 2016-08-16 09:08 UTC Modified: 2016-08-19 13:50 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: IMAP related
PHP Version: irrelevant OS: Windows
Private report: No CVE-ID:
 [2016-08-16 09:08 UTC] fernando at null-life dot com
Description:
------------
This seems to be a Windows only issue, tested with the 7.0.10RC1 QA build [1]. I don't have symbols for rfc822_parse_adrlist [2] so I'm unable to debug further. Seems to be a null dereference based on the stack trace.

[1] http://windows.php.net/qa/
[2] https://github.com/php/php-src/blob/master/ext/imap/php_imap.c#L3965



Test script:
---------------
<?php


$to="<a href=\"";
$subject="A";
$message="A";

imap_mail($to,$subject,$message);

Expected result:
----------------
No crash

Actual result:
--------------
Faulting Instruction:6d6cb891 cmp byte ptr [eax],40h

Basic Block:
    6d6cb891 cmp byte ptr [eax],40h
       Tainted Input operands: 'eax'
    6d6cb894 cmovne ecx,eax
    6d6cb897 lea eax,[esp+1ch]
    6d6cb89b push ecx
    6d6cb89c push dword ptr [esi+8]
    6d6cb89f push offset php_imap!body_encodings+0x130 (6d76eda8)
    6d6cb8a4 push eax
    6d6cb8a5 call php_imap!sprintf (6d6ce3b0)

Exception Hash (Major/Minor): 0x212bb295.0x3256a426

 Hash Usage : Stack Trace:
Major+Minor : php_imap!rfc822_parse_routeaddr+0x201
Major+Minor : php_imap!rfc822_parse_mailbox+0x4b
Major+Minor : php_imap!rfc822_parse_address+0x51
Major+Minor : php_imap!rfc822_parse_adrlist+0xa8
Major+Minor : php_imap!_php_imap_mail+0x113
Minor       : php_imap!zif_imap_mail+0x133
Minor       : php7!ZEND_DO_ICALL_SPEC_HANDLER+0x51
Minor       : php7!execute_ex+0x21
Minor       : php7!zend_execute+0x325
Minor       : php7!zend_execute_scripts+0xab
Minor       : php7!php_execute_script+0x2aa
Minor       : php!do_cli+0x7e3
Minor       : php!main+0x44e
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_774c0000!__RtlUserThreadStart+0x2f
Minor       : ntdll_774c0000!_RtlUserThreadStart+0x1b
Instruction Address: 0x000000006d6cb891


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-16 17:55 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-19 13:50 UTC] ab@php.net
-Status: Open +Status: Verified -PHP Version: 7.0.9 +PHP Version: irrelevant
 [2016-08-19 23:39 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=21f08a7488b54e9894b762b690b6674858881252
Log: Fixed bug #72852 imap_mail null dereference
 [2016-08-19 23:39 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=21f08a7488b54e9894b762b690b6674858881252
Log: Fixed bug #72852 imap_mail null dereference
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Jul 23 14:01:36 2017 UTC