PHP :: Sec Bug #78943 :: mail() may release string with refcount==1 twice

Sec Bug #78943	mail() may release string with refcount==1 twice
Submitted:	2019-12-10 17:12 UTC	Modified:	2019-12-16 19:08 UTC
From:	cmb@php.net	Assigned:	stas (profile)
Status:	Closed	Package:	*Mail Related
PHP Version:	7.3.13RC1	OS:	Windows
Private report:	No	CVE-ID:	2019-11049

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cmb@php.net
New email:
PHP Version:		OS:

New Comment:

[2019-12-10 17:12 UTC] cmb@php.net

Description:
------------
When a lower cased string[1] is passed as $additional_headers
argument to mail(), it may be zend_string_released() twice[2].  I
have noticed this when looking at PR #4995[3], where
bug72463_2.phpt often results in a segfault; I couldn't reproduce
the segfault with other versions, but still this double release
looks very wrong.

[1] <https://github.com/php/php-src/blob/php-7.3.12/win32/sendmail.c#L210-L213>
[2] <https://github.com/php/php-src/blob/php-7.3.12/win32/sendmail.c#L270-L273>
[3] <https://github.com/php/php-src/pull/4995>

Test script:
---------------
<?php
mail('cmbecker69@gmx.de', 'test', 'test message', 'from: cmbecker69@gmx.de');

Patches

add-fronk-support (last revision 2022-07-18 03:19 UTC by 1033831147 at qq dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-12-10 17:12 UTC] cmb@php.net

-Type: Bug +Type: Security -Private report: No +Private report: Yes

[2019-12-10 17:36 UTC] cmb@php.net

Issue has been introduced with commit a5bc5ae[1], so PHP 7.2 is
not affected.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=a5bc5aed71f7a15f14f33bb31b8e17bf5f327e2d>

[2019-12-10 17:37 UTC] cmb@php.net

-PHP Version: 7.2.26RC1 +PHP Version: 7.3.13RC1

[2019-12-10 17:38 UTC] cmb@php.net

-Operating System: * +Operating System: Windows

[2019-12-10 17:38 UTC] cmb@php.net

This affects Windows only.

[2019-12-10 17:45 UTC] cmb@php.net

-Assigned To: +Assigned To: stas

[2019-12-10 17:45 UTC] cmb@php.net

Suggested patch:
<https://gist.github.com/cmb69/712c3b2bec75aebf9c57344a026faa29>.

Stas, can you handle this please?

[2019-12-10 20:07 UTC] stas@php.net

Sure. Not clear how this got into PCRE2 patch?

[2019-12-16 19:07 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2019-11049

[2019-12-16 19:07 UTC] stas@php.net

Not sure it's even exploitable, but since mail could deal with external data, I'll add a CVE just in case.

[2019-12-16 19:08 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2019-12-16 19:08 UTC] stas@php.net

The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.

[2019-12-17 08:38 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=11893c8e665d285f72c2b8a0fbe01a3fcc03b806
Log: Fix #78943: mail() may release string with refcount==1 twice

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC