Fixed MOPB-33-2007:PHP mail() Message ASCIIZ Byte Truncation

1 files changed, 21 insertions, 1 deletions

diff --git a/ext/standard/mail.c b/ext/standard/mail.c
index d493d1d591..db5658c26e 100644
--- a/ext/standard/mail.c
+++ b/ext/standard/mail.c
@@ -55,6 +55,14 @@
 		continue;											\
 	}													\
 
+#define MAIL_ASCIIZ_CHECK(str, len)			\
+	p = str;					\
+	e = p + len;					\
+	while (p = memchr(p, '\0', (e - p))) {		\
+		*p = ' ';				\
+	}						\
+
+
 /* {{{ proto int ezmlm_hash(string addr)
    Calculate EZMLM list hash value. */
 PHP_FUNCTION(ezmlm_hash)
@@ -88,6 +96,7 @@ PHP_FUNCTION(mail)
 	int subject_len, extra_cmd_len, i;
 	char *force_extra_parameters = INI_STR("mail.force_extra_parameters");
 	char *to_r, *subject_r;
+	char *p, *e;
 
 	if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE Restriction in effect.  The fifth parameter is disabled in SAFE MODE.");
@@ -104,6 +113,17 @@ PHP_FUNCTION(mail)
 		return;
 	}
 
+	/* ASCIIZ check */
+	MAIL_ASCIIZ_CHECK(to, to_len);
+	MAIL_ASCIIZ_CHECK(subject, subject_len);
+	MAIL_ASCIIZ_CHECK(message, message_len);
+	if (headers) {
+		MAIL_ASCIIZ_CHECK(headers, headers_len);
+	}
+	if (extra_cmd) {
+		MAIL_ASCIIZ_CHECK(extra_cmd, extra_cmd_len);
+	}
+
 	if (to_len > 0) {
 		to_r = estrndup(to, to_len);
 		for (; to_len; to_len--) {
@@ -150,7 +170,7 @@ PHP_FUNCTION(mail)
 	} else if (extra_cmd) {
 		extra_cmd = php_escape_shell_cmd(extra_cmd);
 	}
-	
+
 	if (php_mail(to_r, subject_r, message, headers, extra_cmd TSRMLS_CC)) {
 		RETVAL_TRUE;
 	} else {