diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-10-12 16:30:34 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-10-12 16:30:48 +0200 |
| commit | 11c752a5f5c0fb23e87e8cb9c4147f1a5374fe06 (patch) | |
| tree | 89963374e56ae7b4e782f6680869f97533f41570 /ext/imap/php_imap.c | |
| parent | 0443c824a3a716873440c8e239d40c458d966a21 (diff) | |
| parent | 216d6a024aeee19a7bd532d0ddaad2a4aff7e097 (diff) | |
| download | php-git-11c752a5f5c0fb23e87e8cb9c4147f1a5374fe06.tar.gz | |
Merge branch 'PHP-7.4' into PHP-8.0
* PHP-7.4:
Fix #80216: imap_mail_compose() does not validate types/encodings
Diffstat (limited to 'ext/imap/php_imap.c')
| -rw-r--r-- | ext/imap/php_imap.c | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index 0b8093b684..99ded64115 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -3181,10 +3181,16 @@ PHP_FUNCTION(imap_mail_compose) topbod = bod; if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "type", sizeof("type") - 1)) != NULL) { - bod->type = (short) zval_get_long(pvalue); + zend_long type = zval_get_long(pvalue); + if (type >= 0 && type <= TYPEMAX && body_types[type] != NULL) { + bod->type = (short) type; + } } if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "encoding", sizeof("encoding") - 1)) != NULL) { - bod->encoding = (short) zval_get_long(pvalue); + zend_long encoding = zval_get_long(pvalue); + if (encoding >= 0 && encoding <= ENCMAX && body_encodings[encoding] != NULL) { + bod->encoding = (short) encoding; + } } if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "charset", sizeof("charset") - 1)) != NULL) { convert_to_string_ex(pvalue); @@ -3266,10 +3272,13 @@ PHP_FUNCTION(imap_mail_compose) bod->md5 = cpystr(Z_STRVAL_P(pvalue)); } } else if (Z_TYPE_P(data) == IS_ARRAY && topbod->type == TYPEMULTIPART) { - short type = -1; + short type = 0; SEPARATE_ARRAY(data); if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "type", sizeof("type") - 1)) != NULL) { - type = (short) zval_get_long(pvalue); + zend_long tmp_type = zval_get_long(pvalue); + if (tmp_type >= 0 && tmp_type <= TYPEMAX && tmp_type != TYPEMULTIPART && body_types[tmp_type] != NULL) { + type = (short) tmp_type; + } } if (!toppart) { @@ -3282,13 +3291,13 @@ PHP_FUNCTION(imap_mail_compose) } bod = &mypart->body; - - if (type != TYPEMULTIPART) { - bod->type = type; - } + bod->type = type; if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "encoding", sizeof("encoding") - 1)) != NULL) { - bod->encoding = (short) zval_get_long(pvalue); + zend_long encoding = zval_get_long(pvalue); + if (encoding >= 0 && encoding <= ENCMAX && body_encodings[encoding] != NULL) { + bod->encoding = (short) encoding; + } } if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "charset", sizeof("charset") - 1)) != NULL) { convert_to_string_ex(pvalue); |