PHP :: Bug #73562 :: php_mimepart

Bug #73562

php_mimepart_free isn't fixed

Submitted:

2016-11-18 11:08 UTC

Modified:

2020-09-15 14:53 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

minenok at tutu dot ru

Assigned:

cmb (profile)

Status:

Closed

Package:

mailparse (PECL)

PHP Version:

7.0.13

OS:

centos 6

Private report:

CVE-ID:

None

View Developer Edit

[2016-11-18 11:08 UTC] minenok at tutu dot ru

Description:
------------
Just using mailparse_msg_parse_file. File is valid. Works in console, works in 2-line script in Apache. Doesn't work in a big app.
Btw, part is equal to 0 when coming to php_mimepart_free.

(gdb) bt
#0  php_mimepart_free (part=0x0) at /var/tmp/mailparse/php_mailparse_mime.c:327
#1  0x00007ffff1a37bfd in zend_hash_destroy (ht=0x7fffcd662558) at /usr/src/debug/php-7.0.13/Zend/zend_hash.c:1265
#2  0x00007fffd6d6d663 in php_mimepart_free (part=0x7fffcd662540) at /var/tmp/mailparse/php_mailparse_mime.c:334
#3  0x00007ffff1a3eff7 in zend_resource_dtor (res=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_list.c:76
#4  0x00007ffff1a3f033 in zend_close_rsrc (zv=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_list.c:230
#5  0x00007ffff1a36532 in zend_hash_reverse_apply (ht=0x7ffff1e12b18, apply_func=0x7ffff1a3f020 <zend_close_rsrc>) at /usr/src/debug/php-7.0.13/Zend/zend_hash.c:1629
#6  0x00007ffff1a1c6b3 in shutdown_executor () at /usr/src/debug/php-7.0.13/Zend/zend_execute_API.c:347
#7  0x00007ffff1a295b7 in zend_deactivate () at /usr/src/debug/php-7.0.13/Zend/zend.c:967
#8  0x00007ffff19cb1c2 in php_request_shutdown (dummy=<value optimized out>) at /usr/src/debug/php-7.0.13/main/main.c:1833
#9  0x00007ffff1ac0837 in php_apache_request_dtor (r=0x7ffff85da980) at /usr/src/debug/php-7.0.13/sapi/apache2handler/sapi_apache2.c:518
#10 php_handler (r=0x7ffff85da980) at /usr/src/debug/php-7.0.13/sapi/apache2handler/sapi_apache2.c:690
#11 0x00007ffff7fd64c0 in ap_run_handler (r=0x7ffff85da980) at /usr/src/debug/httpd-2.2.27/server/config.c:158
#12 0x00007ffff7fd9d4e in ap_invoke_handler (r=0x7ffff85da980) at /usr/src/debug/httpd-2.2.27/server/config.c:376
#13 0x00007ffff7fe532c in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>) at /usr/src/debug/httpd-2.2.27/modules/http/http_request.c:554
#14 0x00007fffef859965 in handler_redirect (r=0x7ffff85e2208) at /usr/src/debug/httpd-2.2.27/modules/mappers/mod_rewrite.c:4894
#15 0x00007ffff7fd64c0 in ap_run_handler (r=0x7ffff85e2208) at /usr/src/debug/httpd-2.2.27/server/config.c:158
#16 0x00007ffff7fd9d4e in ap_invoke_handler (r=0x7ffff85e2208) at /usr/src/debug/httpd-2.2.27/server/config.c:376
#17 0x00007ffff7fe54f0 in ap_process_request (r=0x7ffff85e2208) at /usr/src/debug/httpd-2.2.27/modules/http/http_request.c:282
#18 0x00007ffff7fe22d8 in ap_process_http_connection (c=0x7ffff85d1b38) at /usr/src/debug/httpd-2.2.27/modules/http/http_core.c:190
#19 0x00007ffff7fddfd8 in ap_run_process_connection (c=0x7ffff85d1b38) at /usr/src/debug/httpd-2.2.27/server/connection.c:43
#20 0x00007ffff7fea557 in child_main (child_num_arg=<value optimized out>) at /usr/src/debug/httpd-2.2.27/server/mpm/prefork/prefork.c:667
#21 0x00007ffff7fea836 in make_child (s=0x7ffff8212880, slot=0) at /usr/src/debug/httpd-2.2.27/server/mpm/prefork/prefork.c:712
#22 0x00007ffff7feae83 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /usr/src/debug/httpd-2.2.27/server/mpm/prefork/prefork.c:988
#23 0x00007ffff7fc1d55 in main (argc=4, argv=0x7fffffffe728) at /usr/src/debug/httpd-2.2.27/server/main.c:753

Test script:
---------------
$x = mailparse_msg_parse_file('/some/file')

Patches

Pull Requests

Pull requests:

Fix #74215: Memory leaks with mailparse (pecl-mail-mailparse/11)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-18 11:16 UTC] minenok at tutu dot ru

Another backtrace for the same problem

#0  enum_parts_recurse (top=0x7fffffffae50, child=0x7fffffffae50, part=0x0, callback=0x7fffd6d6c2d0 <find_part_callback>, ptr=0x7fffffffae70) at /var/tmp/mailparse/php_mailparse_mime.c:764
#1  0x00007fffd6d6c4d3 in php_mimepart_enum_parts (part=<value optimized out>, callback=<value optimized out>, ptr=<value optimized out>) at /var/tmp/mailparse/php_mailparse_mime.c:784
#2  0x00007fffd6d6c500 in php_mimepart_find_by_name (parent=<value optimized out>, name=<value optimized out>) at /var/tmp/mailparse/php_mailparse_mime.c:846
#3  0x00007fffd6d68d70 in zif_mailparse_msg_get_part (execute_data=<value optimized out>, return_value=0x7fffee018c20) at /var/tmp/mailparse/mailparse.c:1518
#4  0x00007ffff1a1aa69 in dtrace_execute_internal (execute_data=<value optimized out>, return_value=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:107
#5  0x00007ffff1aa1472 in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee018b20) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:844
#6  0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#7  0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee018b20) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#8  0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee018a60) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#9  0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#10 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee018a60) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#11 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee0189b0) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#12 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#13 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee0189b0) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#14 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee018920) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#15 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#16 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee018920) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#17 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee018880) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#18 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#19 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee018880) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#20 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee0187c0) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#21 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#22 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee0187c0) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#23 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee0186e0) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#24 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#25 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee0186e0) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#26 0x00007ffff1aae7d8 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x7fffee018540) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:29488
#27 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#28 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee018540) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#29 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee0183f0) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#30 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#31 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee0183f0) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#32 0x00007ffff1a8f69c in ZEND_CALL_TRAMPOLINE_SPEC_HANDLER (execute_data=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:1750
#33 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#34 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee0183f0) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#35 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee018210) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#36 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#37 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee018210) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#38 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee018160) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#39 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#40 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee018160) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#41 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee0180f0) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#42 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#43 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee0180f0) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#44 0x00007ffff1aa12ea in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7fffee018030) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:800
#45 0x00007ffff1a68e40 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:417
#46 0x00007ffff1a1abae in dtrace_execute_ex (execute_data=0x7fffee018030) at /usr/src/debug/php-7.0.13/Zend/zend_dtrace.c:83
#47 0x00007ffff1abca2b in zend_execute (op_array=0x7fffee0820e0, return_value=<value optimized out>) at /usr/src/debug/php-7.0.13/Zend/zend_vm_execute.h:458
#48 0x00007ffff1a29493 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-7.0.13/Zend/zend.c:1427
#49 0x00007ffff19ca720 in php_execute_script (primary_file=0x7fffffffe070) at /usr/src/debug/php-7.0.13/main/main.c:2494
#50 0x00007ffff1ac093d in php_handler (r=0x7ffff86a33c0) at /usr/src/debug/php-7.0.13/sapi/apache2handler/sapi_apache2.c:678
#51 0x00007ffff7fd64c0 in ap_run_handler (r=0x7ffff86a33c0) at /usr/src/debug/httpd-2.2.27/server/config.c:158
#52 0x00007ffff7fd9d4e in ap_invoke_handler (r=0x7ffff86a33c0) at /usr/src/debug/httpd-2.2.27/server/config.c:376
#53 0x00007ffff7fe532c in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>) at /usr/src/debug/httpd-2.2.27/modules/http/http_request.c:554
#54 0x00007fffef859965 in handler_redirect (r=0x7ffff85d91c8) at /usr/src/debug/httpd-2.2.27/modules/mappers/mod_rewrite.c:4894
#55 0x00007ffff7fd64c0 in ap_run_handler (r=0x7ffff85d91c8) at /usr/src/debug/httpd-2.2.27/server/config.c:158
#56 0x00007ffff7fd9d4e in ap_invoke_handler (r=0x7ffff85d91c8) at /usr/src/debug/httpd-2.2.27/server/config.c:376
#57 0x00007ffff7fe54f0 in ap_process_request (r=0x7ffff85d91c8) at /usr/src/debug/httpd-2.2.27/modules/http/http_request.c:282
#58 0x00007ffff7fe22d8 in ap_process_http_connection (c=0x7ffff85d1b38) at /usr/src/debug/httpd-2.2.27/modules/http/http_core.c:190
#59 0x00007ffff7fddfd8 in ap_run_process_connection (c=0x7ffff85d1b38) at /usr/src/debug/httpd-2.2.27/server/connection.c:43
#60 0x00007ffff7fea557 in child_main (child_num_arg=<value optimized out>) at /usr/src/debug/httpd-2.2.27/server/mpm/prefork/prefork.c:667
#61 0x00007ffff7fea836 in make_child (s=0x7ffff8212880, slot=0) at /usr/src/debug/httpd-2.2.27/server/mpm/prefork/prefork.c:712
#62 0x00007ffff7feae83 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /usr/src/debug/httpd-2.2.27/server/mpm/prefork/prefork.c:988
#63 0x00007ffff7fc1d55 in main (argc=4, argv=0x7fffffffe728) at /usr/src/debug/httpd-2.2.27/server/main.c:753

[2019-07-21 19:40 UTC] php at delegated dot net

Added
if (&part->children)
just before
zend_hash_destroy(&part->children);
to fix. Seems zend_hash_destroy doesn't like being handed an empty hash/null.

[2020-09-14 15:33 UTC] cmb@php.net

-Status: Open +Status: Analyzed -Assigned To: +Assigned To: cmb

[2020-09-14 15:33 UTC] cmb@php.net

The problem is that mailparse_msg_parse() creates a main mime part
and after that possibly several child mime parts, which are all of
the same resource type.  On shutdown, the engine destroys unfreed
resources in reverse order (i.e. the children before the main
part), but no mime parts are freed if they still have a parent.
When the main part is to be freed, the children are already
destroyed, which causes a NULL pointer dereference.

[2020-09-14 15:55 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #74215: Memory leaks with mailparse
On GitHub:  https://github.com/php/pecl-mail-mailparse/pull/11
Patch:      https://github.com/php/pecl-mail-mailparse/pull/11.patch

[2020-09-15 14:53 UTC] cmb@php.net

-Status: Analyzed +Status: Closed

[2020-09-15 14:53 UTC] cmb@php.net

The PR has been merged.

[2021-09-07 15:05 UTC] cmb@php.net

Related To: Bug #73110

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Mar 11 19:01:31 2025 UTC