From 30830bcefd080cf58231aa195418a4223497ea91 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Fri, 27 Feb 2015 10:42:20 +0100 Subject: [PATCH] Fixed bug #69115 crash in mail There were two issues - php_pcre_replace could be used directly and sbject_str could be NULL - the Windows sendmail variant was freeing something passed from the outside --- ext/pcre/php_pcre.c | 6 +++++- ext/standard/tests/mail/bug69115.phpt | 12 ++++++++++++ win32/sendmail.c | 1 - 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 ext/standard/tests/mail/bug69115.phpt diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 8a6ecb5817..502ec57f42 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -1221,7 +1221,11 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su new_len = result_len + subject_len - start_offset; if (new_len > alloc_len) { alloc_len = new_len; /* now we know exactly how long it is */ - result = zend_string_realloc(result, alloc_len, 0); + if (NULL != result) { + result = zend_string_realloc(result, alloc_len, 0); + } else { + result = zend_string_alloc(alloc_len, 0); + } } /* stick that last bit of string on our output */ memcpy(&result->val[result_len], piece, subject_len - start_offset); diff --git a/ext/standard/tests/mail/bug69115.phpt b/ext/standard/tests/mail/bug69115.phpt new file mode 100644 index 0000000000..b22332c091 --- /dev/null +++ b/ext/standard/tests/mail/bug69115.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #69115 crash in mail (plus indirect pcre test) +--FILE-- + +===DONE=== +--EXPECTF-- +%A +===DONE=== diff --git a/win32/sendmail.c b/win32/sendmail.c index fd7424dda7..9035c7d37e 100644 --- a/win32/sendmail.c +++ b/win32/sendmail.c @@ -292,7 +292,6 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, efree(RPath); } if (headers) { - efree(headers); efree(headers_lc); } /* 128 is safe here, the specifier in snprintf isn't longer than that */ -- 2.40.0