diff options
| author | Stanislav Malyshev <stas@php.net> | 2018-11-11 10:04:01 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2018-12-03 00:00:56 -0800 |
| commit | 7edc639b9ff1c3576773d79d016abbeed1f93846 (patch) | |
| tree | 9cafc35b020521dd87894a6b321b7335fb2e0ad8 | |
| parent | aabdb71dc3739f5e06916e2a4e24deb37437b1e8 (diff) | |
| download | php-git-7edc639b9ff1c3576773d79d016abbeed1f93846.tar.gz | |
Fix #77020: null pointer dereference in imap_mail
If an empty $message is passed to imap_mail(), we must not set message
to NULL, since _php_imap_mail() is not supposed to handle NULL pointers
(opposed to pointers to NUL).
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/imap/php_imap.c | 1 | ||||
| -rw-r--r-- | ext/imap/tests/bug77020.phpt | 15 |
3 files changed, 16 insertions, 1 deletions
@@ -3,6 +3,7 @@ PHP NEWS ?? ??? 2018, PHP 5.6.39 - IMAP: + . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb) . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter). (Stas) diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index a23e84c085..b30440f000 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -4094,7 +4094,6 @@ PHP_FUNCTION(imap_mail) if (!message_len) { /* this is not really an error, so it is allowed. */ php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message string in mail command"); - message = NULL; } if (_php_imap_mail(to, subject, message, headers, cc, bcc, rpath TSRMLS_CC)) { diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt new file mode 100644 index 0000000000..8a65232eec --- /dev/null +++ b/ext/imap/tests/bug77020.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #77020 (null pointer dereference in imap_mail) +--SKIPIF-- +<?php +if (!extension_loaded('imap')) die('skip imap extension not available'); +?> +--FILE-- +<?php +imap_mail('1', 1, NULL); +?> +===DONE=== +--EXPECTF-- +Warning: imap_mail(): No message string in mail command in %s on line %d +%s +===DONE=== |