1 files changed, 52 insertions, 0 deletions

diff --git a/user/php7/CVE-2018-19935.patch b/user/php7/CVE-2018-19935.patch
new file mode 100644
index 000000000..e24310f42
--- /dev/null
+++ b/user/php7/CVE-2018-19935.patch
@@ -0,0 +1,52 @@
+From 648fc1e369fc05fb9200a42c7938912236b2a318 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Nov 2018 10:04:01 -0800
+Subject: [PATCH] Fix #77020: null pointer dereference in imap_mail
+
+If an empty $message is passed to imap_mail(), we must not set message
+to NULL, since _php_imap_mail() is not supposed to handle NULL pointers
+(opposed to pointers to NUL).
+
+(cherry picked from commit 7edc639b9ff1c3576773d79d016abbeed1f93846)
+---
+ ext/imap/php_imap.c          |  1 -
+ ext/imap/tests/bug77020.phpt | 15 +++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 ext/imap/tests/bug77020.phpt
+
+diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
+index 9e626a4..01d1a5f 100644
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -4116,7 +4116,6 @@ PHP_FUNCTION(imap_mail)
+ 	if (!ZSTR_LEN(message)) {
+ 		/* this is not really an error, so it is allowed. */
+ 		php_error_docref(NULL, E_WARNING, "No message string in mail command");
+-		message = NULL;
+ 	}
+ 
+ 	if (_php_imap_mail(ZSTR_VAL(to), ZSTR_VAL(subject), ZSTR_VAL(message), headers?ZSTR_VAL(headers):NULL, cc?ZSTR_VAL(cc):NULL,
+diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt
+new file mode 100644
+index 0000000..8a65232
+--- /dev/null
++++ b/ext/imap/tests/bug77020.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #77020 (null pointer dereference in imap_mail)
++--SKIPIF--
++<?php
++if (!extension_loaded('imap')) die('skip imap extension not available');
++?>
++--FILE--
++<?php
++imap_mail('1', 1, NULL);
++?>
++===DONE===
++--EXPECTF--
++Warning: imap_mail(): No message string in mail command in %s on line %d
++%s
++===DONE===
+-- 
+2.1.4
+