From: George Peter Banyard <girgias@php.net>
Date: Thu, 22 Oct 2020 14:21:57 +0000 (+0100)
Subject: Fix segfaults after conversion from zval to zend_string params
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8b265fb602b2945b5ba56da2bb206e687ab3bb5b;p=php

Fix segfaults after conversion from zval to zend_string params
---

diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index 258bd5bb9c..6861b2ad9e 100644
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -3532,6 +3532,7 @@ bool _php_imap_mail(zend_string *to, zend_string *subject, zend_string *message,
 
 	ZEND_ASSERT(to && ZSTR_LEN(to) != 0);
 	ZEND_ASSERT(subject && ZSTR_LEN(subject) != 0);
+	ZEND_ASSERT(message);
 
 #ifdef PHP_WIN32
 	char *tempMailTo;
@@ -3661,14 +3662,23 @@ bool _php_imap_mail(zend_string *to, zend_string *subject, zend_string *message,
 	}
 	sendmail = popen(INI_STR("sendmail_path"), "w");
 	if (sendmail) {
-		if (ZSTR_LEN(rpath) != 0) fprintf(sendmail, "From: %s\n", ZSTR_VAL(rpath));
+		if (rpath && ZSTR_LEN(rpath) != 0) {
+			fprintf(sendmail, "From: %s\n", ZSTR_VAL(rpath));
+		}
+		/* to cannot be a null pointer, asserted earlier on */
 		fprintf(sendmail, "To: %s\n", ZSTR_VAL(to));
-		if (ZSTR_LEN(cc) != 0) fprintf(sendmail, "Cc: %s\n", ZSTR_VAL(cc));
-		if (ZSTR_LEN(bcc) != 0) fprintf(sendmail, "Bcc: %s\n", ZSTR_VAL(bcc));
+		if (cc && ZSTR_LEN(cc) != 0) {
+			fprintf(sendmail, "Cc: %s\n", ZSTR_VAL(cc));
+		}
+		if (bcc && ZSTR_LEN(bcc) != 0) {
+			fprintf(sendmail, "Bcc: %s\n", ZSTR_VAL(bcc));
+		}
+		/* subject cannot be a null pointer, asserted earlier on */
 		fprintf(sendmail, "Subject: %s\n", ZSTR_VAL(subject));
-		if (headers != NULL) {
+		if (headers && ZSTR_LEN(headers) != 0) {
 			fprintf(sendmail, "%s\n", ZSTR_VAL(headers));
 		}
+		/* message cannot be a null pointer, asserted earlier on */
 		fprintf(sendmail, "\n%s\n", ZSTR_VAL(message));
 		ret = pclose(sendmail);
 
diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt
index 582b132ad8..43c8133700 100644
--- a/ext/imap/tests/bug77020.phpt
+++ b/ext/imap/tests/bug77020.phpt
@@ -10,4 +10,4 @@ imap_mail('1', 1, NULL);
 ?>
 --EXPECTF--
 Warning: imap_mail(): No message string in mail command in %s on line %d
-%A
+%S