Fixed bug #69115 crash in mail

There were two issues

- php_pcre_replace could be used directly and sbject_str could be NULL
- the Windows sendmail variant was freeing something passed from the outside

3 files changed, 17 insertions, 2 deletions

diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index 8a6ecb5817..502ec57f42 100644
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -1221,7 +1221,11 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su
 				new_len = result_len + subject_len - start_offset;
 				if (new_len > alloc_len) {
 					alloc_len = new_len; /* now we know exactly how long it is */
-					result = zend_string_realloc(result, alloc_len, 0);
+					if (NULL != result) {
+						result = zend_string_realloc(result, alloc_len, 0);
+					} else {
+						result = zend_string_alloc(alloc_len, 0);
+					}
 				}
 				/* stick that last bit of string on our output */
 				memcpy(&result->val[result_len], piece, subject_len - start_offset);
diff --git a/ext/standard/tests/mail/bug69115.phpt b/ext/standard/tests/mail/bug69115.phpt
new file mode 100644
index 0000000000..b22332c091
--- /dev/null
+++ b/ext/standard/tests/mail/bug69115.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #69115 crash in mail (plus indirect pcre test)
+--FILE--
+<?php
+/* Just ensure it doesn't crash when trimming headers */
+$message = "Line 1\r\nLine 2\r\nLine 3";
+mail('caffeinated@not-ever-reached-example.com', 'My Subject', $message, "From: me@me.me");
+?>
+===DONE===
+--EXPECTF--
+%A
+===DONE===
diff --git a/win32/sendmail.c b/win32/sendmail.c
index fd7424dda7..9035c7d37e 100644
--- a/win32/sendmail.c
+++ b/win32/sendmail.c
@@ -292,7 +292,6 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 			efree(RPath);
 		}
 		if (headers) {
-			efree(headers);
 			efree(headers_lc);
 		}
 		/* 128 is safe here, the specifier in snprintf isn't longer than that */