CVE-2003-1302

An attacker sends an email message with a specially crafted `To:` or `From:` header, such as `\\\\\\\\\\ <t@t.com>`, containing many backslash characters. When the recipient's PHP application calls `imap_header()` on that message, the IMAP extension's address parser overflows a fixed-size buffer, causing a segmentation fault. The attack is remote and requires no authentication—the attacker only needs to deliver the malformed email to a mailbox that the target PHP script processes via IMAP. [CWE-120]

The IMAP extension in PHP before 4.3.1, specifically the `imap_header()` function in `ext/imap/php_imap.c`, crashes when parsing email messages with a `To:` or `From:` header containing an address with a large number of backslash (`\`) characters. The crash is triggered by insufficient buffer sizing in the address parsing logic, where the constant `PHP_IMAP_ADDRESS_SIZE_BUF` (set to 10) is too small to handle the expanded representation of heavily escaped addresses.

The patch, referenced in the bug report as available at http://bb.prohost.org/imap.txt, fixes the buffer overflow by correcting the address parsing logic rather than simply increasing `PHP_IMAP_ADDRESS_SIZE_BUF`. The developer noted that merely enlarging the buffer is a temporary fix—an address with hundreds of backslashes would still cause a crash. The proper fix ensures the parser handles arbitrarily long escaped sequences without overflowing. The fix was committed to CVS on 2003-02-11 and shipped in PHP 4.3.1.