From 357cadb3621817193d441f01365dfdbb58a661a5 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 2 Apr 2008 16:31:51 +0000
Subject: [PATCH] MFB: imap bug fixes

---
 NEWS                |  3 +++
 ext/imap/php_imap.c | 14 +++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/NEWS b/NEWS
index e2fe01d542..fa01bd5cbf 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Apr 2008, PHP 5.2.6
+- Fixed bug #44613 (Crash inside imap_headerinfo()). (Ilia, jmessa)
+- Fixed bug #44594 (imap_open() does not validate # of retries parameter).
+  (Ilia)
 - Fixed bug #44557 (Crash in imap_setacl when supplied integer as username)
   (Thomas Jarosch)
 
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index 3d6f3c6c8f..9fe4f4cbd9 100644
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -792,7 +792,11 @@ static void php_imap_do_open(INTERNAL_FUNCTION_PARAMETERS, int persistent)
 #ifdef SET_MAXLOGINTRIALS
 	if (myargc == 5) {
 		convert_to_long_ex(retries);
-		mail_parameters(NIL, SET_MAXLOGINTRIALS, (void *) Z_LVAL_PP(retries));
+		if (retries < 0) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING ,"Retries must be greater or equal to 0");
+		} else {
+			mail_parameters(NIL, SET_MAXLOGINTRIALS, (void *) Z_LVAL_PP(retries));
+		}
 	}
 #endif
 
@@ -1583,8 +1587,8 @@ PHP_FUNCTION(imap_headerinfo)
 	convert_to_long_ex(msgno);
 	if (myargc >= 3) {
 		convert_to_long_ex(fromlength);
-		if (Z_LVAL_PP(fromlength) < 0) {
-			php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length has to be greater than or equal to 0");
+		if (Z_LVAL_PP(fromlength) < 0 || Z_LVAL_PP(fromlength) >= MAILTMPLEN) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "From length has to be between 1 and %i", MAILTMPLEN);
 			RETURN_FALSE;
 		}
 	} else {
@@ -1592,8 +1596,8 @@ PHP_FUNCTION(imap_headerinfo)
 	}
 	if (myargc >= 4) {
 		convert_to_long_ex(subjectlength);
-		if (Z_LVAL_PP(subjectlength) < 0) {
-			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Subject length has to be greater than or equal to 0");
+		if (Z_LVAL_PP(subjectlength) < 0 || Z_LVAL_PP(subjectlength) >= MAILTMPLEN) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Subject length has to be between 1 and %i", MAILTMPLEN);
 			RETURN_FALSE;
 		}
 	} else {
-- 
2.50.1