summaryrefslogtreecommitdiffstats
path: root/bug77020.patch
blob: eafa38fe76f6ea9a6ba65acc235119d5e1954ee5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Backported for 5.4, from 5.6, by Remi


From 7edc639b9ff1c3576773d79d016abbeed1f93846 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 11 Nov 2018 10:04:01 -0800
Subject: [PATCH] Fix #77020: null pointer dereference in imap_mail

If an empty $message is passed to imap_mail(), we must not set message
to NULL, since _php_imap_mail() is not supposed to handle NULL pointers
(opposed to pointers to NUL).
---
 NEWS                         |  1 +
 ext/imap/php_imap.c          |  1 -
 ext/imap/tests/bug77020.phpt | 15 +++++++++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 ext/imap/tests/bug77020.phpt

diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index a23e84c08521..b30440f000f3 100644
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -4088,7 +4088,6 @@ PHP_FUNCTION(imap_mail)
 	if (!message_len) {
 		/* this is not really an error, so it is allowed. */
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message string in mail command");
-		message = NULL;
 	}
 
 	if (_php_imap_mail(to, subject, message, headers, cc, bcc, rpath TSRMLS_CC)) {
diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt
new file mode 100644
index 000000000000..8a65232eec6d
--- /dev/null
+++ b/ext/imap/tests/bug77020.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #77020 (null pointer dereference in imap_mail)
+--SKIPIF--
+<?php
+if (!extension_loaded('imap')) die('skip imap extension not available');
+?>
+--FILE--
+<?php
+imap_mail('1', 1, NULL);
+?>
+===DONE===
+--EXPECTF--
+Warning: imap_mail(): No message string in mail command in %s on line %d
+%s
+===DONE===