Fixed bug #69115 crash in mail

There were two issues

- php_pcre_replace could be used directly and sbject_str could be NULL
- the Windows sendmail variant was freeing something passed from the outside

diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index 8a6ecb5817c7b5db73d0a96ecc2a3ddc5ba806f5..502ec57f4234f10fd3fb21481b013dba2adefab3 100644 (file)
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -1221,7 +1221,11 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su
                                new_len = result_len + subject_len - start_offset;
                                if (new_len > alloc_len) {
                                        alloc_len = new_len; /* now we know exactly how long it is */
-                                       result = zend_string_realloc(result, alloc_len, 0);
+                                       if (NULL != result) {
+                                               result = zend_string_realloc(result, alloc_len, 0);
+                                       } else {
+                                               result = zend_string_alloc(alloc_len, 0);
+                                       }
                                }
                                /* stick that last bit of string on our output */
                                memcpy(&result->val[result_len], piece, subject_len - start_offset);

diff --git a/ext/standard/tests/mail/bug69115.phpt b/ext/standard/tests/mail/bug69115.phpt
new file mode 100644 (file)
index 0000000..b22332c
--- /dev/null
+++ b/ext/standard/tests/mail/bug69115.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #69115 crash in mail (plus indirect pcre test)
+--FILE--
+<?php
+/* Just ensure it doesn't crash when trimming headers */
+$message = "Line 1\r\nLine 2\r\nLine 3";
+mail('caffeinated@not-ever-reached-example.com', 'My Subject', $message, "From: me@me.me");
+?>
+===DONE===
+--EXPECTF--
+%A
+===DONE===

diff --git a/win32/sendmail.c b/win32/sendmail.c
index fd7424dda7306198fa55f1081b09e5e31a054a3d..9035c7d37ec90b8498f91f27ef5ea8f70ac80494 100644 (file)
--- a/win32/sendmail.c
+++ b/win32/sendmail.c
@@ -292,7 +292,6 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
                        efree(RPath);
                }
                if (headers) {
-                       efree(headers);
                        efree(headers_lc);
                }
                /* 128 is safe here, the specifier in snprintf isn't longer than that */