Fix #77821: Potential heap corruption in TSendMail()

`zend_string_tolower()` returns a copy (not a duplicate) of the given string, if it is already in lower case. In this case we must not not `zend_string_free()` both strings. The cleanest solution is to call ` zend_string_release()` on both strings, which properly handles the refcount.
php · Apr 30, 2019 · 6c631cc · 6c631cc · nikic · Apr 30, 2019
1 parent 588db7c
commit 6c631cc
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/win32/sendmail.c b/win32/sendmail.c
@@ -274,8 +274,9 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 		}
 
 		if (!found) {
-			if (headers_lc) {
-				zend_string_free(headers_lc);
+			if (headers) {
+				zend_string_release(headers_trim);
+				zend_string_release(headers_lc);
 			}
 			*error = W32_SM_SENDMAIL_FROM_NOT_SET;
 			return FAILURE;
@@ -289,8 +290,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 			efree(RPath);
 		}
 		if (headers) {
-			zend_string_free(headers_trim);
-			zend_string_free(headers_lc);
+			zend_string_release(headers_trim);
+			zend_string_release(headers_lc);
 		}
 		/* 128 is safe here, the specifier in snprintf isn't longer than that */
 		if (NULL == (*error_message = ecalloc(1, HOST_NAME_LEN + 128))) {
@@ -308,8 +309,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 			efree(RPath);
 		}
 		if (headers) {
-			zend_string_free(headers_trim);
-			zend_string_free(headers_lc);
+			zend_string_release(headers_trim);
+			zend_string_release(headers_lc);
 		}
 		if (ret != SUCCESS) {
 			*error = ret;