php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77821 Potential heap corruption in TSendMail()
Submitted: 2019-03-29 10:09 UTC Modified: 2019-04-30 05:08 UTC
From: cmb@php.net Assigned: ab (profile)
Status: Closed Package: *Mail Related
PHP Version: 7.1 OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2019-03-29 10:09 UTC] cmb@php.net
Description:
------------
Running ext/standard/tests/mail/mail_basic_alt2-win32.phpt
sometimes yields Critical error detected c0000374, which indicates
a heap corruption.

Test script:
---------------
ext/standard/tests/mail/mail_basic_alt2-win32.phpt


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-29 10:19 UTC] cmb@php.net
-Assigned To: +Assigned To: ab
 [2019-03-29 10:19 UTC] cmb@php.net
Suggested fix for PHP 7.2:
<https://gist.github.com/cmb69/05d64c433700c59384fd759b629e7762>.

For PHP 7.3 and up the situation is slightly different, since code
has been added to release one of the strings right away if
`zend_string_tolower()` returns a copy[1].  It seems to me that
this code should be removed (since it relies on internals of the
API), and the 7.2 fix be applied.

[1] <https://github.com/php/php-src/blob/php-7.3.4RC1/win32/sendmail.c#L211-L213>
 [2019-03-31 06:52 UTC] stas@php.net
Is this but not present in 7.1?
 [2019-03-31 10:46 UTC] ab@php.net
What is the backtrace?

Thanks.
 [2019-03-31 10:55 UTC] cmb@php.net
-PHP Version: 7.2Git-2019-03-29 (Git) +PHP Version: 7.1
 [2019-03-31 10:55 UTC] cmb@php.net
Thanks, Stas!  Indeed, PHP-7.1 is affected as well, and the
suggested patch[1] has to be applied there, too.

Backtrace is:

ntdll.dll!00007ffb6e35aed2() (Unknown Source:0)
ntdll.dll!00007ffb6e36379e() (Unknown Source:0)
ntdll.dll!00007ffb6e363aaa() (Unknown Source:0)
ntdll.dll!00007ffb6e2febc1() (Unknown Source:0)
ntdll.dll!00007ffb6e30cd22() (Unknown Source:0)
ucrtbase.dll!00007ffb6a6ec7eb() (Unknown Source:0)
[Inline Frame] php7.dll!zend_string_free(_zend_string *) Line 264 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_string.h:264)
php7.dll!TSendMail(char * host, int * error, char * * error_message, char * headers, char * Subject, char * mailTo, char * data, char * mailCc, char * mailBcc, char * mailRPath) Line 312 (d:\php-sdk\phpdev\vc14\x64\php-src\win32\sendmail.c:312)
php7.dll!php_mail(char * to, char * subject, char * message, char * headers, char * extra_cmd) Line 342 (d:\php-sdk\phpdev\vc14\x64\php-src\ext\standard\mail.c:342)
php7.dll!zif_mail(_zend_execute_data * execute_data, _zval_struct * return_value) Line 174 (d:\php-sdk\phpdev\vc14\x64\php-src\ext\standard\mail.c:174)
php7.dll!ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER(_zend_execute_data * execute_data) Line 685 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:685)
php7.dll!execute_ex(_zend_execute_data * ex) Line 432 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:432)
php7.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 475 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:475)
php7.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1483 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend.c:1483)
php7.dll!php_execute_script(_zend_file_handle * primary_file) Line 2577 (d:\php-sdk\phpdev\vc14\x64\php-src\main\main.c:2577)
php.exe!do_cli(int argc, char * * argv) Line 994 (d:\php-sdk\phpdev\vc14\x64\php-src\sapi\cli\php_cli.c:994)
php.exe!main(int argc, char * * argv) Line 1381 (d:\php-sdk\phpdev\vc14\x64\php-src\sapi\cli\php_cli.c:1381)
[Inline Frame] php.exe!invoke_main() Line 64 (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:64)
php.exe!__scrt_common_main_seh() Line 253 (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253)
kernel32.dll!00007ffb6e1881f4() (Unknown Source:0)

[1] <https://gist.github.com/cmb69/05d64c433700c59384fd759b629e7762>
 [2019-03-31 12:05 UTC] ab@php.net
Thanks for the BT. The patch looks correct. I've no environment to test it right now, as it fixes for Christoph should be fine to include. Christoph, please add a test, if possible.

Thanks.
 [2019-03-31 12:10 UTC] cmb@php.net
> Christoph, please add a test, if possible.

There is already mail_basic_alt2-win32.phpt wich is failing (at least sometimes) because of the bug.
 [2019-04-30 05:10 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6c631ccfef94f93259d474682f8bfa803e163c87
Log: Fix #77821: Potential heap corruption in TSendMail()
 [2019-04-30 05:10 UTC] stas@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 15:01:27 2024 UTC