diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-03-29 11:12:09 +0100 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-04-29 22:08:19 -0700 |
commit | 6c631ccfef94f93259d474682f8bfa803e163c87 (patch) | |
tree | 1e03dc08ac9acc7f7fa48170c4fde1d4fc2230c1 | |
parent | 588db7cecf6cf8b351de0fecdfc7de70f54bf1b1 (diff) | |
download | php-git-6c631ccfef94f93259d474682f8bfa803e163c87.tar.gz |
Fix #77821: Potential heap corruption in TSendMail()
`zend_string_tolower()` returns a copy (not a duplicate) of the given
string, if it is already in lower case. In this case we must not not
`zend_string_free()` both strings. The cleanest solution is to call
` zend_string_release()` on both strings, which properly handles the
refcount.
-rw-r--r-- | win32/sendmail.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/win32/sendmail.c b/win32/sendmail.c index 808fc8f5fd..c11da78f32 100644 --- a/win32/sendmail.c +++ b/win32/sendmail.c @@ -274,8 +274,9 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, } if (!found) { - if (headers_lc) { - zend_string_free(headers_lc); + if (headers) { + zend_string_release(headers_trim); + zend_string_release(headers_lc); } *error = W32_SM_SENDMAIL_FROM_NOT_SET; return FAILURE; @@ -289,8 +290,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, efree(RPath); } if (headers) { - zend_string_free(headers_trim); - zend_string_free(headers_lc); + zend_string_release(headers_trim); + zend_string_release(headers_lc); } /* 128 is safe here, the specifier in snprintf isn't longer than that */ if (NULL == (*error_message = ecalloc(1, HOST_NAME_LEN + 128))) { @@ -308,8 +309,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, efree(RPath); } if (headers) { - zend_string_free(headers_trim); - zend_string_free(headers_lc); + zend_string_release(headers_trim); + zend_string_release(headers_lc); } if (ret != SUCCESS) { *error = ret; |