MFH: Fixed bug #25333 (Possible body corruption & crash in win32 mail()).

diff --git a/NEWS b/NEWS
index 7eceaabdc047af82c1748e46e457a3f304660df7..7d03b97b3eedb31e90b83f1ddb8fbc974e4dc59a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ PHP 4                                                                      NEWS
 - Fixed bug #25372 (sscanf() does not work with %X). (Jani)
 - Fixed bug #25348 ("make install" fails with --enable-short-tags). (Jani)
 - Fixed bug #25343 (is_dir() gives warning on FreeBSD). (Jani)
+- Fixed bug #25333 (Possible body corruption & crash in win32 mail()). (Ilia)
 - Fixed bug #25308 (php -m crashes when zend extensions are loaded). (Stas)
 - Fixed bug #25307 (Crash with WDDX serializer). (Sascha, Jani)
 - Fixed bug #25239 (ftp_fopen_wrapper not RFC compliant). (Sara)

diff --git a/win32/sendmail.c b/win32/sendmail.c
index 855873c5de141b4acd83cfc6c81e3288ecdfe0bd..f6894c1ba9109bf1067271bc04c85002c2dc14d0 100644 (file)
--- a/win32/sendmail.c
+++ b/win32/sendmail.c
@@ -362,7 +362,7 @@ char *GetSMErrorText(int index)
 int SendText(char *RPath, char *Subject, char *mailTo, char *mailCc, char *mailBcc, char *data, 
                         char *headers, char *headers_lc, char **error_message)
 {
-       int res, i;
+       int res;
        char *p;
        char *tempMailTo, *token, *pos1, *pos2;
        char *server_response = NULL;
@@ -596,35 +596,30 @@ int SendText(char *RPath, char *Subject, char *mailTo, char *mailCc, char *mailB
         * uses ZVAL as it's parameters */
        data_cln = php_str_to_str(data, strlen(data), PHP_WIN32_MAIL_DOT_PATTERN, sizeof(PHP_WIN32_MAIL_DOT_PATTERN) - 1,
                                        PHP_WIN32_MAIL_DOT_REPLACE, sizeof(PHP_WIN32_MAIL_DOT_REPLACE) - 1, &data_cln_len);
+       if (!data_cln) {
+               data_cln = estrdup("");
+               data_cln_len = 1;               
+       }
 
        /* send message contents in 1024 chunks */
-       if (data_cln_len <= 1024) {
-               if ((res = Post(data_cln)) != SUCCESS) {
-                       efree(data_cln);
-                       return (res);
-               }
-       } else {
-               int parts = (int) floor(data_cln_len / 1024);
+       {
+               char c, *e2, *e = data_cln + data_cln_len;
                p = data_cln;
 
-               for (i = 0; i < parts; i++) {
-                       strlcpy(Buffer, p, 1024);
-                       Buffer[1024] = '\0';
-                       p += 1024;
-send_chunk:
-                       /* send chunk */
-                       if ((res = Post(Buffer)) != SUCCESS) {
+               while (e - p > 1024) {
+                       e2 = p + 1024;
+                       c = *e2;
+                       *e2 = '\0';
+                       if ((res = Post(p)) != SUCCESS) {
                                efree(data_cln);
-                               return (res);
+                               return(res);
                        }
+                       *e2 = c;
+                       p = e2;
                }
-
-               if ((parts * 1024) < data_cln_len) {
-                       i = data_cln_len - (parts * 1024);
-                       strlcpy(Buffer, p, i);
-                       Buffer[i] = '\0';
-                       parts++;
-                       goto send_chunk;
+               if ((res = Post(p)) != SUCCESS) {
+                       efree(data_cln);
+                       return(res);
                }
        }