From: Anatol Belski Date: Fri, 27 Feb 2015 09:42:20 +0000 (+0100) Subject: Fixed bug #69115 crash in mail X-Git-Tag: PRE_PHP7_EREG_MYSQL_REMOVALS~55^2~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=30830bcefd080cf58231aa195418a4223497ea91;p=php Fixed bug #69115 crash in mail There were two issues - php_pcre_replace could be used directly and sbject_str could be NULL - the Windows sendmail variant was freeing something passed from the outside --- diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 8a6ecb5817..502ec57f42 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -1221,7 +1221,11 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su new_len = result_len + subject_len - start_offset; if (new_len > alloc_len) { alloc_len = new_len; /* now we know exactly how long it is */ - result = zend_string_realloc(result, alloc_len, 0); + if (NULL != result) { + result = zend_string_realloc(result, alloc_len, 0); + } else { + result = zend_string_alloc(alloc_len, 0); + } } /* stick that last bit of string on our output */ memcpy(&result->val[result_len], piece, subject_len - start_offset); diff --git a/ext/standard/tests/mail/bug69115.phpt b/ext/standard/tests/mail/bug69115.phpt new file mode 100644 index 0000000000..b22332c091 --- /dev/null +++ b/ext/standard/tests/mail/bug69115.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #69115 crash in mail (plus indirect pcre test) +--FILE-- + +===DONE=== +--EXPECTF-- +%A +===DONE=== diff --git a/win32/sendmail.c b/win32/sendmail.c index fd7424dda7..9035c7d37e 100644 --- a/win32/sendmail.c +++ b/win32/sendmail.c @@ -292,7 +292,6 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, efree(RPath); } if (headers) { - efree(headers); efree(headers_lc); } /* 128 is safe here, the specifier in snprintf isn't longer than that */