Fix #77020: null pointer dereference in imap_mail

If an empty $message is passed to imap_mail(), we must not set message
to NULL, since _php_imap_mail() is not supposed to handle NULL pointers
(opposed to pointers to NUL).

diff --git a/NEWS b/NEWS
index 5d945dfde1b5fa35a32da44492bfa3e0f330b5f8..34ff5848d57ad13b1964c0f807c7e28bdbd5bad0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2018, PHP 5.6.39
 
 - IMAP:
+  . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb)
   . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via
     mailbox parameter). (Stas)
 

diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index a23e84c085216c65d9ebe4a61840f5747dd4626b..b30440f000f38f1e040a909a290db754ace49042 100644 (file)
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -4094,7 +4094,6 @@ PHP_FUNCTION(imap_mail)
        if (!message_len) {
                /* this is not really an error, so it is allowed. */
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message string in mail command");
-               message = NULL;
        }
 
        if (_php_imap_mail(to, subject, message, headers, cc, bcc, rpath TSRMLS_CC)) {

diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt
new file mode 100644 (file)
index 0000000..8a65232
--- /dev/null
+++ b/ext/imap/tests/bug77020.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #77020 (null pointer dereference in imap_mail)
+--SKIPIF--
+<?php
+if (!extension_loaded('imap')) die('skip imap extension not available');
+?>
+--FILE--
+<?php
+imap_mail('1', 1, NULL);
+?>
+===DONE===
+--EXPECTF--
+Warning: imap_mail(): No message string in mail command in %s on line %d
+%s
+===DONE===