From 6c631ccfef94f93259d474682f8bfa803e163c87 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 29 Mar 2019 11:12:09 +0100 Subject: Fix #77821: Potential heap corruption in TSendMail() `zend_string_tolower()` returns a copy (not a duplicate) of the given string, if it is already in lower case. In this case we must not not `zend_string_free()` both strings. The cleanest solution is to call ` zend_string_release()` on both strings, which properly handles the refcount. --- win32/sendmail.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/win32/sendmail.c b/win32/sendmail.c index 808fc8f5fd..c11da78f32 100644 --- a/win32/sendmail.c +++ b/win32/sendmail.c @@ -274,8 +274,9 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, } if (!found) { - if (headers_lc) { - zend_string_free(headers_lc); + if (headers) { + zend_string_release(headers_trim); + zend_string_release(headers_lc); } *error = W32_SM_SENDMAIL_FROM_NOT_SET; return FAILURE; @@ -289,8 +290,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, efree(RPath); } if (headers) { - zend_string_free(headers_trim); - zend_string_free(headers_lc); + zend_string_release(headers_trim); + zend_string_release(headers_lc); } /* 128 is safe here, the specifier in snprintf isn't longer than that */ if (NULL == (*error_message = ecalloc(1, HOST_NAME_LEN + 128))) { @@ -308,8 +309,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, efree(RPath); } if (headers) { - zend_string_free(headers_trim); - zend_string_free(headers_lc); + zend_string_release(headers_trim); + zend_string_release(headers_lc); } if (ret != SUCCESS) { *error = ret; -- cgit v1.2.1