231156 – net-libs/c-client-2006k crashes dev-lang/php-5.2.6-r2 in some cases

Bug 231156 - net-libs/c-client-2006k crashes dev-lang/php-5.2.6-r2 in some cases

Summary: net-libs/c-client-2006k crashes dev-lang/php-5.2.6-r2 in some cases

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	x86 Linux

Importance:	High major (vote)
Assignee:	Net-Mail Packages

URL:	http://bugs.php.net/bug.php?id=45466
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-07-08 12:36 UTC by Deniss Gaplevsky
Modified:	2008-10-13 16:42 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Deniss Gaplevsky 2008-07-08 12:36:46 UTC

dev-lang/php-5.2.6-r2 built with net-libs/c-client-2006k 
php crashes sometimes.
Look like due bug in c-client.
There backtrace from coredump:

#0  0xa98b9402 in __kernel_vsyscall ()
#1  0xa8e60601 in raise () from /lib/libc.so.6
#2  0xa8e61e5c in abort () from /lib/libc.so.6
#3  0x08395881 in fatal ()
#4  0x0839ccce in myusername_full ()
#5  0x0839ce7c in myhomedir ()
#6  0x083fb667 in mh_path ()
#7  0x083fbf8a in mh_isvalid ()
#8  0x083fca02 in mh_valid ()
#9  0x083a2b98 in mail_valid ()
#10 0x083b0d1b in mail_open ()
#11 0x08157783 in php_imap_do_open (ht=4, return_value=0x889a68c, return_value_ptr=0x0, this_ptr=0x0,
    return_value_used=1, persistent=0)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/ext/imap/php_imap.c:804
#12 0x08157923 in zif_imap_open (ht=4, return_value=0x889a68c, return_value_ptr=0x0, this_ptr=0x0,
    return_value_used=1) at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/ext/imap/php_imap.c:825
#13 0x08305be4 in zend_call_function (fci=0xbaf09ad0, fci_cache=0x0)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_execute_API.c:1027
#14 0x083042fe in call_user_function_ex (function_table=0x86f13b8, object_pp=0x0, function_name=0x889a5a4,
    retval_ptr_ptr=0xbaf09b50, param_count=4, params=0x889a614, no_separation=0, symbol_table=0x0)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_execute_API.c:640
#15 0x0821886d in zif_call_user_func_array (ht=2, return_value=0x889a1a4, return_value_ptr=0x0, this_ptr=0x0,
    return_value_used=1)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/ext/standard/basic_functions.c:5181
#16 0x0833b134 in zend_do_fcall_common_helper_SPEC (execute_data=0xbaf0a5a0)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_vm_execute.h:200
#17 0x08340d95 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbaf0a5a0)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_vm_execute.h:1679
#18 0x0833ac79 in execute (op_array=0x8983978)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_vm_execute.h:92
#19 0x0833b2d4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbaf0a830)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_vm_execute.h:234
#20 0x08340d95 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbaf0a830)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_vm_execute.h:1679
#21 0x0833ac79 in execute (op_array=0x8983a40)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_vm_execute.h:92
#22 0x0833b2d4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbaf0b290)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_vm_execute.h:234
#23 0x0833be16 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbaf0b290)
    at /var/tmp/portage/dev-lang/php-5.2.6-r2/work/php-5.2.6/Zend/zend_vm_execute.h:322

probably same issue as http://bugs.gentoo.org/show_bug.cgi?id=221969#c3

Comment 1 Deniss Gaplevsky 2008-07-08 19:50:23 UTC

there is error message in log before crash:
php-cgi: IMAP toolkit crash: Unable to look up user name
BUT WHY php crashes on this ?!?

Comment 2 Deniss Gaplevsky 2008-07-09 12:16:58 UTC

Looks like php function imap_open does not check arguments to present. 
Empty args crash c-client.
Following php script brings down php with coredump:
<?php
echo 'start ';
if ( ($link = imap_open($dsn, $username, $password, $flags)) === false ) {
   echo 'cannt open';
}
echo ' finish';
?>

Comment 3 Deniss Gaplevsky 2008-07-12 13:27:15 UTC

c-client-2007b has some fixes, probably for this bug too. 
please add c-client-2007b ebuild to portage.

Comment 4 John Hardin 2008-07-14 03:38:31 UTC

Please don't break uw-imap in fixing this bug. See Bug 153281. Thx.

Comment 5 Christian Hoffmann (RETIRED) gentoo-dev

2008-07-14 08:38:09 UTC

(In reply to comment #4)
> Please don't break uw-imap in fixing this bug. See Bug 153281. Thx.
The linked bug is not caused by c-client, it is caused by php's way of accessing the c-client api and the fact that uw-imap is even more outdated than c-client.

Comment 6 Christian Hoffmann (RETIRED) gentoo-dev

2008-10-13 16:42:52 UTC

Please try again using the latest versions (at least php-5.2.6-r6).
I have been able to reproduce this bug before, but by using a (security) patch we avoid triggering these overflow issues in c-client from within php (c-client cannot do anything about them, it's up to php to use the proper API calls).

Please reopen if you've still got these issues.