Fixed bug #75774 imap_append HeapCorruction

php · Jan 12, 2018 · cecf734 · cecf734
1 parent 9d2662e
commit cecf734
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 6 deletions.
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
@@ -1312,18 +1312,18 @@ PHP_FUNCTION(imap_append)
 	zend_string *folder, *message, *internal_date = NULL, *flags = NULL;
 	pils *imap_le_struct;
 	STRING st;
-	zend_string* regex;
-	pcre_cache_entry *pce;				/* Compiled regex */
-	zval *subpats = NULL;				/* Parts (not used) */
-	int global = 0;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "rSS|SS", &streamind, &folder, &message, &flags, &internal_date) == FAILURE) {
 		return;
 	}
 
-	regex  = zend_string_init("/[0-3][0-9]-((Jan)|(Feb)|(Mar)|(Apr)|(May)|(Jun)|(Jul)|(Aug)|(Sep)|(Oct)|(Nov)|(Dec))-[0-9]{4} [0-2][0-9]:[0-5][0-9]:[0-5][0-9] [+-][0-9]{4}/", sizeof("/[0-3][0-9]-((Jan)|(Feb)|(Mar)|(Apr)|(May)|(Jun)|(Jul)|(Aug)|(Sep)|(Oct)|(Nov)|(Dec))-[0-9]{4} [0-2][0-9]:[0-5][0-9]:[0-5][0-9] [+-][0-9]{4}/") - 1, 0);
 
 	if (internal_date) {
+		zend_string *regex  = zend_string_init("/[0-3][0-9]-((Jan)|(Feb)|(Mar)|(Apr)|(May)|(Jun)|(Jul)|(Aug)|(Sep)|(Oct)|(Nov)|(Dec))-[0-9]{4} [0-2][0-9]:[0-5][0-9]:[0-5][0-9] [+-][0-9]{4}/", sizeof("/[0-3][0-9]-((Jan)|(Feb)|(Mar)|(Apr)|(May)|(Jun)|(Jul)|(Aug)|(Sep)|(Oct)|(Nov)|(Dec))-[0-9]{4} [0-2][0-9]:[0-5][0-9]:[0-5][0-9] [+-][0-9]{4}/") - 1, 0);
+		pcre_cache_entry *pce;				/* Compiled regex */
+		zval *subpats = NULL;				/* Parts (not used) */
+		int global = 0;
+
 		/* Make sure the given internal_date string matches the RFC specifiedformat */
 		if ((pce = pcre_get_compiled_regex_cache(regex))== NULL) {
 			zend_string_free(regex);
@@ -1340,7 +1340,6 @@ PHP_FUNCTION(imap_append)
 		}
 	}
 
-	zend_string_free(regex);
 	if ((imap_le_struct = (pils *)zend_fetch_resource(Z_RES_P(streamind), "imap", le_imap)) == NULL) {
 		RETURN_FALSE;
 	}

diff --git a/ext/imap/tests/bug75774.phpt b/ext/imap/tests/bug75774.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #75774 imap_append HeapCorruction
+--SKIPIF--
+<?php
+extension_loaded('imap') or die('skip imap extension not available in this build');
+?>
+--FILE--
+<?php
+
+$fn = __DIR__ . DIRECTORY_SEPARATOR . "foo75774";
+$var1=fopen($fn, "w");
+
+imap_append($var1, "", "", "", "");
+
+fclose($var1);
+unlink($fn);
+
+?>
+==DONE==
+--EXPECTF--
+Warning: imap_append(): internal date not correctly formatted in %s on line %d
+
+Warning: imap_append(): supplied resource is not a valid imap resource in %s on line %d
+==DONE==