diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-10-16 11:58:50 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-10-20 13:32:53 +0200 |
| commit | 7f3bdda29bf7123f1f2841c5483e30b5b22981ce (patch) | |
| tree | 28d5a2d97516e613f86af002df208eed81b25d36 /ext/imap/php_imap.c | |
| parent | 7b5f232b0366ec85933ebd9230c6052494f43c63 (diff) | |
| download | php-git-7f3bdda29bf7123f1f2841c5483e30b5b22981ce.tar.gz | |
Properly fix #80220
The original fix for that bug[1] broke the formerly working composition
of message/rfc822 messages, which results in a segfault when freeing
the message body now. While `imap_mail_compose()` does not really
support composition of meaningful message/rfc822 messages (although
libc-client appears to support that), some code may still use this to
compose partial messages, and using string manipulation to create the
final message.
The point is that libc-client expects `TYPEMESSAGE` with an explicit
subtype of `RFC822` to have a `nested.msg` (otherwise there will be a
segfault during free), but not to have any `contents.text.data` (this
will leak otherwise).
[1] <http://git.php.net/?p=php-src.git;a=commit;h=0d022ddf03c5fabaaa22e486d1e4a367ed9170a7>
Closes GH-6343.
Diffstat (limited to 'ext/imap/php_imap.c')
| -rw-r--r-- | ext/imap/php_imap.c | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index d3b3986ad5..084cb4ee28 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -3706,15 +3706,19 @@ PHP_FUNCTION(imap_mail_compose) bod->disposition.parameter = disp_param; } } - if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "contents.data", sizeof("contents.data") - 1)) != NULL) { - convert_to_string_ex(pvalue); - bod->contents.text.data = fs_get(Z_STRLEN_P(pvalue) + 1); - memcpy(bod->contents.text.data, Z_STRVAL_P(pvalue), Z_STRLEN_P(pvalue)+1); - bod->contents.text.size = Z_STRLEN_P(pvalue); + if (bod->type == TYPEMESSAGE && bod->subtype && !strcmp(bod->subtype, "RFC822")) { + bod->nested.msg = mail_newmsg(); } else { - bod->contents.text.data = fs_get(1); - memcpy(bod->contents.text.data, "", 1); - bod->contents.text.size = 0; + if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "contents.data", sizeof("contents.data") - 1)) != NULL) { + convert_to_string_ex(pvalue); + bod->contents.text.data = fs_get(Z_STRLEN_P(pvalue) + 1); + memcpy(bod->contents.text.data, Z_STRVAL_P(pvalue), Z_STRLEN_P(pvalue)+1); + bod->contents.text.size = Z_STRLEN_P(pvalue); + } else { + bod->contents.text.data = fs_get(1); + memcpy(bod->contents.text.data, "", 1); + bod->contents.text.size = 0; + } } if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "lines", sizeof("lines") - 1)) != NULL) { bod->size.lines = zval_get_long(pvalue); @@ -3933,7 +3937,7 @@ PHP_FUNCTION(imap_mail_compose) efree(mystring); mystring=tempstring; } else if (bod) { - spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data, CRLF); + spprintf(&tempstring, 0, "%s%s%s", mystring, bod->contents.text.data ? bod->contents.text.data : "", CRLF); efree(mystring); mystring=tempstring; } else { |