: Bug #22048 :: imap_header() crashes with bad To: or From: header
| Bug #22048 | imap_header() crashes with bad To: or From: header | ||||
|---|---|---|---|---|---|
| Submitted: | 2003-02-04 10:40 UTC | Modified: | 2003-02-11 16:59 UTC | ||
| From: | rlineweaver at harrisonburg dot k12 dot va dot us | Assigned: | iliaa (profile) | ||
| Status: | Closed | Package: | IMAP related | ||
| PHP Version: | 4CVS-2003-02-04 (stable) | OS: | RedHat Linux 8.0 (2.4.18) | ||
| Private report: | No | CVE-ID: | None | ||
[2003-02-04 10:40 UTC] rlineweaver at harrisonburg dot k12 dot va dot us
This is a very similar issue to bug #19280 (http://bugs.php.net/bug.php?id=19280), but that bug was closed and this issue still exists. php4-STABLE-200302041230 imap-2001a (from RedHat 8.0) apache-2.0.44 (happens from CLI too, so probably irrelevant) also occurs with php-4.3.0, apache-2.0.43 Strangely constructed To: or From: header causes a segfault, even from CLI php. Here are sample headers to reconstruct the problem: --- From test@test.com Mon Feb 3 14:08:06 2003 Return-Path: <test@test.com> Date: Mon, 3 Feb 2003 14:08:08 -0500 From: PHP Test Case <test@test.com> To: \\\\\\\\\\\\\\\\\\\ <t@t.com> Subject: test 4 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit --- Swapping the To: and From: headers causes the same problem. The following script will reproduce the segfault: --- <?php $mailbox = imap_open( "{127.0.0.1:143/imap/notls}"."test", "rob", "******", OP_READONLY); $header = imap_header($mailbox, 1); echo $header->toaddress . "\n"; echo $header->fromaddress . "\n"; imap_close($mailbox); ?> --- Notes: In ext/imap/php_imap.c, if I change the define: #define PHP_IMAP_ADDRESS_SIZE_BUF 10 to something larger, say 100, the segfault disappears. Since PHP_IMAP_ADDRESS_SIZE_BUF was added to solve bug #19280 I thought this may be a related issue. The badly constructed address above (\\\\\\\\\\\\\\\\\\\ <t@t.com>) was the shortest test case I could come up with. Note that reducing the number of backslashes makes it work, but adding the same number of alphanumeric characters back into the email address itself (between the <>) breaks it again. An older server running PHP 4.1.2, imap-2001a, Apache 1.3.27, Horde/IMP, was not affected by the same messages. Thanks for looking into this! Let me know if you need additional information. PHP ./configure line pasted below: './configure' '--prefix=/usr/local/php4-STABLE-200302041230' '--with-config-file-path=/etc' '--enable-force-cgi-redirect' '--disable-debug' '--enable-pic' '--disable-rpath' '--enable-inline-optimization' '--with-bz2' '--with-db4' '--with-zlib' '--with-gd' '--with-png-dir=/usr' '--with-freetype-dir=/usr' '--enable-gd-native-ttf' '--with-ttf' '--with-gdbm' '--with-gettext' '--with-ncurses' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-png' '--with-pspell' '--with-regex=system' '--with-xml' '--with-expat-dir=/usr' '--enable-bcmath' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-safe-mode=no' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-discard-path' '--enable-track-vars' '--enable-trans-sid' '--without-oci8' '--with-pear=/usr/share/pear' '--with-imap=shared' '--with-imap-ssl' '--with-ldap=shared' '--with-mysql=shared,/usr' '--enable-memory-limit' '--enable-bcmath' '--enable-shmop' '--enable-versioning' '--with-apxs2=/usr/local/apache-2.0.44/bin/apxs' '--with-kerberos=/usr/kerberos'
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2003-02-11 12:30 UTC] iliaa@php.net
[2003-02-11 16:59 UTC] iliaa@php.net