-
-
Save cmb69/05d64c433700c59384fd759b629e7762 to your computer and use it in GitHub Desktop.
Fix for PHP bug #77821
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 5dfced2ece567ba9abaa99a7a12314cb969ade22 Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Fri, 29 Mar 2019 11:12:09 +0100 | |
Subject: [PATCH] Fix #77821: Potential heap corruption in TSendMail() | |
`zend_string_tolower()` returns a copy (not a duplicate) of the given | |
string, if it is already in lower case. In this case we must not not | |
`zend_string_free()` both strings. The cleanest solution is to call | |
` zend_string_release()` on both strings, which properly handles the | |
refcount. | |
--- | |
win32/sendmail.c | 13 +++++++------ | |
1 file changed, 7 insertions(+), 6 deletions(-) | |
diff --git a/win32/sendmail.c b/win32/sendmail.c | |
index 62d710589d..c171eba950 100644 | |
--- a/win32/sendmail.c | |
+++ b/win32/sendmail.c | |
@@ -261,8 +261,9 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, | |
} | |
if (!found) { | |
- if (headers_lc) { | |
- zend_string_free(headers_lc); | |
+ if (headers) { | |
+ zend_string_release(headers_trim); | |
+ zend_string_release(headers_lc); | |
} | |
*error = W32_SM_SENDMAIL_FROM_NOT_SET; | |
return FAILURE; | |
@@ -276,8 +277,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, | |
efree(RPath); | |
} | |
if (headers) { | |
- zend_string_free(headers_trim); | |
- zend_string_free(headers_lc); | |
+ zend_string_release(headers_trim); | |
+ zend_string_release(headers_lc); | |
} | |
/* 128 is safe here, the specifier in snprintf isn't longer than that */ | |
*error_message = ecalloc(1, HOST_NAME_LEN + 128); | |
@@ -293,8 +294,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, | |
efree(RPath); | |
} | |
if (headers) { | |
- zend_string_free(headers_trim); | |
- zend_string_free(headers_lc); | |
+ zend_string_release(headers_trim); | |
+ zend_string_release(headers_lc); | |
} | |
if (ret != SUCCESS) { | |
*error = ret; | |
-- | |
2.21.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment