From: [EMAIL PROTECTED]
Operating system: Windows XP
PHP version: 5.2CVS-2008-04-02 (snap)
PHP Bug Type: Reproducible crash
Bug description: imap_headerinfo crashes when large int is passed as
$[from|subject]_length arg
Description:
------------
The crash in this case is due to lack of a sanity check on "fromlength"
argument passed to imap_headerinfo().
In the php_imap.c code we have:
PHP_FUNCTION(imap_headerinfo)
{
zval **streamind, **msgno, **fromlength, **subjectlength, **defaulthost;
pils *imap_le_struct;
MESSAGECACHE *cache;
ENVELOPE *en;
char dummy[2000], fulladdress[MAILTMPLEN];
were MAILTMPLEN is defined in mail.h as 1024. So stack space is allocated
for a buffer of 1024 bytes to receive the "from" details which is
retrieved by the following code:
mail_fetchfrom(fulladdress, imap_le_struct->imap_stream, Z_LVAL_PP(msgno),
Z_LVAL_PP(fromlength));
mail_fetchfrom uses the "fromlength" supplied on the imap_headerinfo()
call to clear out part of the "fulladdress" buffer to spaces before copying
the "from" string into it.
If the specified fromlength is greater than 1024 bytes (MAILTMPLEN) then
storage over-writes will occur and data corruption or crashes will result.
The php_imap.c code needs to be changed to add a simple sanity check on
the input argument. Something along the following lines.
if (myargc >= 3) {
convert_to_long_ex(fromlength);
if (Z_LVAL_PP(fromlength) < 0 ) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length
has to be greater than or equal to 0");
RETURN_FALSE;
}
---- start of new code -------
if (Z_LVAL_PP(fromlength) > MAILTMPLEN ) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length
must be less than or equal to %i bytes", MAILTMPLEN);
RETURN_FALSE;
}
---- end of new code -----
} else {
fromlength = 0x00;
}
A similar check is also needed for "subjectlength" argument.
Reproduce code:
---------------
<?php
var_dump(imap_headerinfo($imap_stream, $msg_no, 12345, 12345));
?>
Expected result:
----------------
Warning: imap_headerinfo(): From length must be less than or equal to %d
bytes
bool(false)
Actual result:
--------------
PHP crash
--
Edit bug report at http://bugs.php.net/?id=44613&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=44613&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=44613&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=44613&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=44613&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=44613&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=44613&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=44613&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=44613&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=44613&r=support
Expected behavior: http://bugs.php.net/fix.php?id=44613&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=44613&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=44613&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=44613&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44613&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=44613&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=44613&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=44613&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=44613&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=44613&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=44613&r=mysqlcfg
