Fix #77821: Potential heap corruption in TSendMail()

`zend_string_tolower()` returns a copy (not a duplicate) of the given
string, if it is already in lower case.  In this case we must not not
`zend_string_free()` both strings.  The cleanest solution is to call
` zend_string_release()` on both strings, which properly handles the
refcount.

1 files changed, 7 insertions, 6 deletions

diff --git a/win32/sendmail.c b/win32/sendmail.c
index 808fc8f5fd..c11da78f32 100644
--- a/win32/sendmail.c
+++ b/win32/sendmail.c
@@ -274,8 +274,9 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 		}
 
 		if (!found) {
-			if (headers_lc) {
-				zend_string_free(headers_lc);
+			if (headers) {
+				zend_string_release(headers_trim);
+				zend_string_release(headers_lc);
 			}
 			*error = W32_SM_SENDMAIL_FROM_NOT_SET;
 			return FAILURE;
@@ -289,8 +290,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 			efree(RPath);
 		}
 		if (headers) {
-			zend_string_free(headers_trim);
-			zend_string_free(headers_lc);
+			zend_string_release(headers_trim);
+			zend_string_release(headers_lc);
 		}
 		/* 128 is safe here, the specifier in snprintf isn't longer than that */
 		if (NULL == (*error_message = ecalloc(1, HOST_NAME_LEN + 128))) {
@@ -308,8 +309,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 			efree(RPath);
 		}
 		if (headers) {
-			zend_string_free(headers_trim);
-			zend_string_free(headers_lc);
+			zend_string_release(headers_trim);
+			zend_string_release(headers_lc);
 		}
 		if (ret != SUCCESS) {
 			*error = ret;