Fix for PHP bug #77821

.patch

From 5dfced2ece567ba9abaa99a7a12314cb969ade22 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 29 Mar 2019 11:12:09 +0100
Subject: [PATCH] Fix #77821: Potential heap corruption in TSendMail()

`zend_string_tolower()` returns a copy (not a duplicate) of the given
string, if it is already in lower case.  In this case we must not not
`zend_string_free()` both strings.  The cleanest solution is to call
` zend_string_release()` on both strings, which properly handles the
refcount.
---
 win32/sendmail.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/win32/sendmail.c b/win32/sendmail.c
index 62d710589d..c171eba950 100644
--- a/win32/sendmail.c
+++ b/win32/sendmail.c
@@ -261,8 +261,9 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 		}
 
 		if (!found) {
-			if (headers_lc) {
-				zend_string_free(headers_lc);
+			if (headers) {
+				zend_string_release(headers_trim);
+				zend_string_release(headers_lc);
 			}
 			*error = W32_SM_SENDMAIL_FROM_NOT_SET;
 			return FAILURE;
@@ -276,8 +277,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 			efree(RPath);
 		}
 		if (headers) {
-			zend_string_free(headers_trim);
-			zend_string_free(headers_lc);
+			zend_string_release(headers_trim);
+			zend_string_release(headers_lc);
 		}
 		/* 128 is safe here, the specifier in snprintf isn't longer than that */
 		*error_message = ecalloc(1, HOST_NAME_LEN + 128);
@@ -293,8 +294,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 			efree(RPath);
 		}
 		if (headers) {
-			zend_string_free(headers_trim);
-			zend_string_free(headers_lc);
+			zend_string_release(headers_trim);
+			zend_string_release(headers_lc);
 		}
 		if (ret != SUCCESS) {
 			*error = ret;
-- 
2.21.0.windows.1