diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/imap/php_imap.c | 13 | ||||
| -rw-r--r-- | ext/imap/tests/bug32589.phpt | 34 |
3 files changed, 42 insertions, 6 deletions
@@ -68,6 +68,7 @@ PHP NEWS - Fixed bug #33326 (Cannot build extensions with phpize on Macosx). (Jani) - Fixed bug #32981 (ReflectionMethod::getStaticVariables() causes apache2.0.54 seg fault). (Dmitry) +- Fixed bug #32589 (possible crash inside imap_mail_compose() function). (Ilia) - Fixed bug #32139 (SOAP client does not auto-handle base64 encoding). (Ilia) - Fixed bug #32010 (Memory leak in mssql_fetch_batch). (fmk) - Fixed bug #29334 (win32 mail() provides incorrect Date: header). (Jani) diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index 5d738dbe67..8825244b48 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -2908,6 +2908,7 @@ PHP_FUNCTION(imap_mail_compose) custom_headers_param = mail_newbody_parameter(); convert_to_string_ex(env_data); custom_headers_param->value = (char *) fs_get(Z_STRLEN_PP(env_data) + 1); + custom_headers_param->attribute = NULL; memcpy(custom_headers_param->value, Z_STRVAL_PP(env_data), Z_STRLEN_PP(env_data) + 1); zend_hash_move_forward(Z_ARRVAL_PP(pvalue)); custom_headers_param->next = tmp_param; @@ -2939,7 +2940,7 @@ PHP_FUNCTION(imap_mail_compose) convert_to_string_ex(pvalue); tmp_param = mail_newbody_parameter(); tmp_param->value = cpystr(Z_STRVAL_PP(pvalue)); - tmp_param->attribute = "CHARSET"; + tmp_param->attribute = cpystr("CHARSET"); tmp_param->next = bod->parameter; bod->parameter = tmp_param; } @@ -2949,7 +2950,7 @@ PHP_FUNCTION(imap_mail_compose) while (zend_hash_get_current_data(Z_ARRVAL_PP(pvalue), (void **) &disp_data) == SUCCESS) { disp_param = mail_newbody_parameter(); zend_hash_get_current_key(Z_ARRVAL_PP(pvalue), &key, &ind, 0); - disp_param->attribute = key; + disp_param->attribute = cpystr(key); convert_to_string_ex(disp_data); disp_param->value = (char *) fs_get(Z_STRLEN_PP(disp_data) + 1); memcpy(disp_param->value, Z_STRVAL_PP(disp_data), Z_STRLEN_PP(disp_data) + 1); @@ -2983,7 +2984,7 @@ PHP_FUNCTION(imap_mail_compose) while (zend_hash_get_current_data(Z_ARRVAL_PP(pvalue), (void **) &disp_data) == SUCCESS) { disp_param = mail_newbody_parameter(); zend_hash_get_current_key(Z_ARRVAL_PP(pvalue), &key, &ind, 0); - disp_param->attribute = key; + disp_param->attribute = cpystr(key); convert_to_string_ex(disp_data); disp_param->value = (char *) fs_get(Z_STRLEN_PP(disp_data) + 1); memcpy(disp_param->value, Z_STRVAL_PP(disp_data), Z_STRLEN_PP(disp_data) + 1); @@ -3047,7 +3048,7 @@ PHP_FUNCTION(imap_mail_compose) tmp_param = mail_newbody_parameter(); tmp_param->value = (char *) fs_get(Z_STRLEN_PP(pvalue) + 1); memcpy(tmp_param->value, Z_STRVAL_PP(pvalue), Z_STRLEN_PP(pvalue) + 1); - tmp_param->attribute = "CHARSET"; + tmp_param->attribute = cpystr("CHARSET"); tmp_param->next = bod->parameter; bod->parameter = tmp_param; } @@ -3057,7 +3058,7 @@ PHP_FUNCTION(imap_mail_compose) while (zend_hash_get_current_data(Z_ARRVAL_PP(pvalue), (void **) &disp_data) == SUCCESS) { disp_param = mail_newbody_parameter(); zend_hash_get_current_key(Z_ARRVAL_PP(pvalue), &key, &ind, 0); - disp_param->attribute = key; + disp_param->attribute = cpystr(key); convert_to_string_ex(disp_data); disp_param->value = (char *) fs_get(Z_STRLEN_PP(disp_data) + 1); memcpy(disp_param->value, Z_STRVAL_PP(disp_data), Z_STRLEN_PP(disp_data) + 1); @@ -3091,7 +3092,7 @@ PHP_FUNCTION(imap_mail_compose) while (zend_hash_get_current_data(Z_ARRVAL_PP(pvalue), (void **) &disp_data) == SUCCESS) { disp_param = mail_newbody_parameter(); zend_hash_get_current_key(Z_ARRVAL_PP(pvalue), &key, &ind, 0); - disp_param->attribute = key; + disp_param->attribute = cpystr(key); convert_to_string_ex(disp_data); disp_param->value = (char *) fs_get(Z_STRLEN_PP(disp_data) + 1); memcpy(disp_param->value, Z_STRVAL_PP(disp_data), Z_STRLEN_PP(disp_data) + 1); diff --git a/ext/imap/tests/bug32589.phpt b/ext/imap/tests/bug32589.phpt new file mode 100644 index 0000000000..c5030e8970 --- /dev/null +++ b/ext/imap/tests/bug32589.phpt @@ -0,0 +1,34 @@ +--TEST-- +Bug #32589 (crash inside imap_mail_compose() function) +--SKIPIF-- +<?php + if (!extension_loaded("imap")) { + die("skip imap extension not available"); + } +?> +--FILE-- +<?php +$m_envelope["To"] = "mail@example.com"; +$m_part1["type"] = TYPEMULTIPART; +$m_part1["subtype"] = "mixed"; +$m_part2["type"] = TYPETEXT; +$m_part2["subtype"] = "plain"; +$m_part2["description"] = "text_message"; + +$m_part2["charset"] = "ISO-8859-2"; + +$m_part2["contents.data"] = "hello"; +$m_body[1] = $m_part1; +$m_body[2] = $m_part2; +echo imap_mail_compose($m_envelope, $m_body); +?> +--EXPECTF-- +MIME-Version: 1.0 +Content-Type: MULTIPART/mixed; BOUNDARY="%s" + +%s +Content-Type: TEXT/plain; CHARSET=ISO-8859-2 +Content-Description: text_message + +hello +%s |