diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-10-20 16:38:16 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-10-20 18:58:45 +0200 |
| commit | 315b95b0654fca116d6db0f11dc22151ac139988 (patch) | |
| tree | 5dffcd58e8793cd86757449e2e4d200c093bda5a | |
| parent | de58fb34c9dad0ce598eb53ee942628fd7c7b14a (diff) | |
| download | php-git-315b95b0654fca116d6db0f11dc22151ac139988.tar.gz | |
Fix #80242: imap_mail_compose() segfaults for multipart with rfc822
libc-client expects `TYPEMESSAGE` with an explicit subtype of `RFC822`
to have a `nested.msg` (otherwise there will be a segfault during
free), but not to have any `contents.text.data` (this will leak
otherwise).
Closes GH-6345.
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/imap/php_imap.c | 22 | ||||
| -rw-r--r-- | ext/imap/tests/bug80242.phpt | 22 |
3 files changed, 37 insertions, 9 deletions
@@ -6,6 +6,8 @@ PHP NEWS . Fixed bug #64076 (imap_sort() does not return FALSE on failure). (cmb) . Fixed bug #80239 (imap_rfc822_write_address() leaks memory). (cmb) . Fixed minor regression caused by fixing bug #80220. (cmb) + . Fixed bug #80242 (imap_mail_compose() segfaults for multipart with rfc822). + (cmb) 29 Oct 2020, PHP 7.3.24 diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index 7d0fca1e98..cf8ed7bcf2 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -3818,15 +3818,19 @@ PHP_FUNCTION(imap_mail_compose) bod->disposition.parameter = disp_param; } } - if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "contents.data", sizeof("contents.data") - 1)) != NULL) { - convert_to_string_ex(pvalue); - bod->contents.text.data = fs_get(Z_STRLEN_P(pvalue) + 1); - memcpy(bod->contents.text.data, Z_STRVAL_P(pvalue), Z_STRLEN_P(pvalue) + 1); - bod->contents.text.size = Z_STRLEN_P(pvalue); + if (bod->type == TYPEMESSAGE && bod->subtype && !strcmp(bod->subtype, "RFC822")) { + bod->nested.msg = mail_newmsg(); } else { - bod->contents.text.data = fs_get(1); - memcpy(bod->contents.text.data, "", 1); - bod->contents.text.size = 0; + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "contents.data", sizeof("contents.data") - 1)) != NULL) { + convert_to_string_ex(pvalue); + bod->contents.text.data = fs_get(Z_STRLEN_P(pvalue) + 1); + memcpy(bod->contents.text.data, Z_STRVAL_P(pvalue), Z_STRLEN_P(pvalue) + 1); + bod->contents.text.size = Z_STRLEN_P(pvalue); + } else { + bod->contents.text.data = fs_get(1); + memcpy(bod->contents.text.data, "", 1); + bod->contents.text.size = 0; + } } if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "lines", sizeof("lines") - 1)) != NULL) { bod->size.lines = zval_get_long(pvalue); @@ -3927,7 +3931,7 @@ PHP_FUNCTION(imap_mail_compose) bod=&part->body; - spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF); + spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data ? (char *) bod->contents.text.data : "", CRLF); efree(mystring); mystring=tempstring; } while ((part = part->next)); /* until done */ diff --git a/ext/imap/tests/bug80242.phpt b/ext/imap/tests/bug80242.phpt new file mode 100644 index 0000000000..849e7c6212 --- /dev/null +++ b/ext/imap/tests/bug80242.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #80242 (imap_mail_compose() segfaults for multipart with rfc822) +--SKIPIF-- +<?php +if (!extension_loaded('imap')) die('skip imap extension not available'); +?> +--FILE-- +<?php +$bodies = [[ + 'type' => TYPEMULTIPART, +], [ + 'type' => TYPETEXT, + 'contents.data' => 'some text', +], [ + 'type' => TYPEMESSAGE, + 'subtype' => 'RFC822', +]]; +imap_mail_compose([], $bodies); +echo "done\n"; +?> +--EXPECT-- +done |