PHP IMAP segfault

John Dalbec jpdalbec at ysu.edu
Thu Dec 1 22:48:17 UTC 2005 

On Wed, 30 Nov 2005 at 12:52:46 -0700, Michal Jaegermann wrote:

> On Wed, Nov 30, 2005 at 12:09:09PM -0500, John Dalbec wrote:
> 
>>> (gdb) backtrace
>>> #0  0x409ba612 in zif_imap_fetch_overview () from /usr/lib/php4/imap.so
>>> #1  0x67696c61 in ?? ()
>>> Cannot access memory at address 0x62656420
> 
> 
> 0x62656420 actually spells " deb" (little endian) and 0x67696c61
> is "alig".  Sounds suspiciously like
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170411
> which you actually posted with that exception that depending on
> what distro you are using it may be either imap or libc-client
> libraries (or maybe php has a copy of this code?). So you may want
> to look as well at
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170521
> 
> Clearly this may be a wrong guess.
> 
>    Michal

The code that I was concerned about is in rfc822.c, not mail.c.  But I guess the 
stack corruption could have occurred in one of the mail_ functions (probably 
mail_fetch_structure).  PHP-IMAP statically links libc-client.a so technically 
after any fix affecting this library PHP should be rebuilt.

The segfault doesn't occur until fairly late in the subroutine when it tries to 
access the corrupted stack.  I tried to single-step through it to see whether I 
could find the point of stack corruption but I didn't have the patience for it 
and I think the IMAP connections were timing out and causing unrelated segfaults 
(also with stack corruption):

Program received signal SIGSEGV, Segmentation fault.
0x4044b5f8 in object.2 () from /etc/httpd/modules/libphp4.so
(gdb) bt
#0  0x4044b5f8 in object.2 () from /etc/httpd/modules/libphp4.so
#1  0x0839767c in ?? ()
#2  0x40452168 in object.2 () from /etc/httpd/modules/libphp4.so
#3  0x40459f12 in object.2 () from /etc/httpd/modules/libphp4.so
#4  0x40438582 in object.2 () from /etc/httpd/modules/libphp4.so
#5  0x4045623e in object.2 () from /etc/httpd/modules/libphp4.so
#6  0x404565ab in object.2 () from /etc/httpd/modules/libphp4.so
#7  0x4044e06c in object.2 () from /etc/httpd/modules/libphp4.so
#8  0x4044b894 in object.2 () from /etc/httpd/modules/libphp4.so
#9  0x08051bf9 in run_cleanups ()
#10 0x080506ab in ap_clear_pool ()
#11 0x08050711 in ap_destroy_pool ()
#12 0x0805067c in ap_clear_pool ()
#13 0x0805f7bd in child_main ()
#14 0x0805fe3a in make_child ()
#15 0x0805ff7d in startup_children ()
#16 0x080605d0 in standalone_main ()
#17 0x08060ed3 in main ()
#18 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6

You can find a somewhat-sanitized version of the offending e-mail message at 
http://unix1.cc.ysu.edu/~jpdalbec/adam.txt including ..., debalig at aol.com, ....

Maybe I'll try a binary search setting different breakpoints.

John

More information about the fedora-legacy-list mailing list