From 4f1520912cb8f905edb1b6c5a81260ad71569699 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 30 Aug 2005 22:02:43 +0000
Subject: [PATCH] Fixed bug #32589 (possible crash inside imap_mail_compose()
 function).

---
 ext/imap/php_imap.c          | 13 +++++++------
 ext/imap/tests/bug32589.phpt | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 6 deletions(-)
 create mode 100644 ext/imap/tests/bug32589.phpt

diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index 5d738dbe67..8825244b48 100644
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -2908,6 +2908,7 @@ PHP_FUNCTION(imap_mail_compose)
 				custom_headers_param = mail_newbody_parameter();
 				convert_to_string_ex(env_data);
 				custom_headers_param->value = (char *) fs_get(Z_STRLEN_PP(env_data) + 1);
+				custom_headers_param->attribute = NULL;
 				memcpy(custom_headers_param->value, Z_STRVAL_PP(env_data), Z_STRLEN_PP(env_data) + 1);
 				zend_hash_move_forward(Z_ARRVAL_PP(pvalue));
 				custom_headers_param->next = tmp_param;
@@ -2939,7 +2940,7 @@ PHP_FUNCTION(imap_mail_compose)
 			convert_to_string_ex(pvalue);
 			tmp_param = mail_newbody_parameter();
 			tmp_param->value = cpystr(Z_STRVAL_PP(pvalue));
-			tmp_param->attribute = "CHARSET";
+			tmp_param->attribute = cpystr("CHARSET");
 			tmp_param->next = bod->parameter;
 			bod->parameter = tmp_param;
 		}
@@ -2949,7 +2950,7 @@ PHP_FUNCTION(imap_mail_compose)
 				while (zend_hash_get_current_data(Z_ARRVAL_PP(pvalue), (void **) &disp_data) == SUCCESS) {
 					disp_param = mail_newbody_parameter();
 					zend_hash_get_current_key(Z_ARRVAL_PP(pvalue), &key, &ind, 0);
-					disp_param->attribute = key;
+					disp_param->attribute = cpystr(key);
 					convert_to_string_ex(disp_data);
 					disp_param->value = (char *) fs_get(Z_STRLEN_PP(disp_data) + 1);
 					memcpy(disp_param->value, Z_STRVAL_PP(disp_data), Z_STRLEN_PP(disp_data) + 1);
@@ -2983,7 +2984,7 @@ PHP_FUNCTION(imap_mail_compose)
 				while (zend_hash_get_current_data(Z_ARRVAL_PP(pvalue), (void **) &disp_data) == SUCCESS) {
 					disp_param = mail_newbody_parameter();
 					zend_hash_get_current_key(Z_ARRVAL_PP(pvalue), &key, &ind, 0);
-					disp_param->attribute = key;
+					disp_param->attribute = cpystr(key);
 					convert_to_string_ex(disp_data);
 					disp_param->value = (char *) fs_get(Z_STRLEN_PP(disp_data) + 1);
 					memcpy(disp_param->value, Z_STRVAL_PP(disp_data), Z_STRLEN_PP(disp_data) + 1);
@@ -3047,7 +3048,7 @@ PHP_FUNCTION(imap_mail_compose)
 				tmp_param = mail_newbody_parameter();
 				tmp_param->value = (char *) fs_get(Z_STRLEN_PP(pvalue) + 1);
 				memcpy(tmp_param->value, Z_STRVAL_PP(pvalue), Z_STRLEN_PP(pvalue) + 1);
-				tmp_param->attribute = "CHARSET";
+				tmp_param->attribute = cpystr("CHARSET");
 				tmp_param->next = bod->parameter;
 				bod->parameter = tmp_param;
 			}
@@ -3057,7 +3058,7 @@ PHP_FUNCTION(imap_mail_compose)
 					while (zend_hash_get_current_data(Z_ARRVAL_PP(pvalue), (void **) &disp_data) == SUCCESS) {
 						disp_param = mail_newbody_parameter();
 						zend_hash_get_current_key(Z_ARRVAL_PP(pvalue), &key, &ind, 0);
-						disp_param->attribute = key;
+						disp_param->attribute = cpystr(key);
 						convert_to_string_ex(disp_data);
 						disp_param->value = (char *) fs_get(Z_STRLEN_PP(disp_data) + 1);
 						memcpy(disp_param->value, Z_STRVAL_PP(disp_data), Z_STRLEN_PP(disp_data) + 1);
@@ -3091,7 +3092,7 @@ PHP_FUNCTION(imap_mail_compose)
 					while (zend_hash_get_current_data(Z_ARRVAL_PP(pvalue), (void **) &disp_data) == SUCCESS) {
 						disp_param = mail_newbody_parameter();
 						zend_hash_get_current_key(Z_ARRVAL_PP(pvalue), &key, &ind, 0);
-						disp_param->attribute = key;
+						disp_param->attribute = cpystr(key);
 						convert_to_string_ex(disp_data);
 						disp_param->value = (char *) fs_get(Z_STRLEN_PP(disp_data) + 1);
 						memcpy(disp_param->value, Z_STRVAL_PP(disp_data), Z_STRLEN_PP(disp_data) + 1);
diff --git a/ext/imap/tests/bug32589.phpt b/ext/imap/tests/bug32589.phpt
new file mode 100644
index 0000000000..c5030e8970
--- /dev/null
+++ b/ext/imap/tests/bug32589.phpt
@@ -0,0 +1,34 @@
+--TEST--                                 
+Bug #32589 (crash inside imap_mail_compose() function)
+--SKIPIF--
+<?php
+        if (!extension_loaded("imap")) { 
+                die("skip imap extension not available");  
+        }
+?>
+--FILE--
+<?php
+$m_envelope["To"] = "mail@example.com";
+$m_part1["type"] = TYPEMULTIPART;
+$m_part1["subtype"] = "mixed";
+$m_part2["type"] = TYPETEXT;
+$m_part2["subtype"] = "plain";
+$m_part2["description"] = "text_message";
+
+$m_part2["charset"] = "ISO-8859-2";
+
+$m_part2["contents.data"] = "hello";
+$m_body[1] = $m_part1;
+$m_body[2] = $m_part2;
+echo imap_mail_compose($m_envelope, $m_body);
+?>
+--EXPECTF--
+MIME-Version: 1.0
+Content-Type: MULTIPART/mixed; BOUNDARY="%s"
+
+%s
+Content-Type: TEXT/plain; CHARSET=ISO-8859-2
+Content-Description: text_message
+
+hello
+%s
-- 
2.40.0