Skip to content

Instantly share code, notes, and snippets.

@cmb69

cmb69/.patch Secret

Created Mar 29, 2019
Embed
What would you like to do?
Fix for PHP bug #77821
From 5dfced2ece567ba9abaa99a7a12314cb969ade22 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 29 Mar 2019 11:12:09 +0100
Subject: [PATCH] Fix #77821: Potential heap corruption in TSendMail()
`zend_string_tolower()` returns a copy (not a duplicate) of the given
string, if it is already in lower case. In this case we must not not
`zend_string_free()` both strings. The cleanest solution is to call
` zend_string_release()` on both strings, which properly handles the
refcount.
---
win32/sendmail.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/win32/sendmail.c b/win32/sendmail.c
index 62d710589d..c171eba950 100644
--- a/win32/sendmail.c
+++ b/win32/sendmail.c
@@ -261,8 +261,9 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
}
if (!found) {
- if (headers_lc) {
- zend_string_free(headers_lc);
+ if (headers) {
+ zend_string_release(headers_trim);
+ zend_string_release(headers_lc);
}
*error = W32_SM_SENDMAIL_FROM_NOT_SET;
return FAILURE;
@@ -276,8 +277,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
efree(RPath);
}
if (headers) {
- zend_string_free(headers_trim);
- zend_string_free(headers_lc);
+ zend_string_release(headers_trim);
+ zend_string_release(headers_lc);
}
/* 128 is safe here, the specifier in snprintf isn't longer than that */
*error_message = ecalloc(1, HOST_NAME_LEN + 128);
@@ -293,8 +294,8 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
efree(RPath);
}
if (headers) {
- zend_string_free(headers_trim);
- zend_string_free(headers_lc);
+ zend_string_release(headers_trim);
+ zend_string_release(headers_lc);
}
if (ret != SUCCESS) {
*error = ret;
--
2.21.0.windows.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.