|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77821 Potential heap corruption in TSendMail()
Submitted: 2019-03-29 10:09 UTC Modified: 2019-04-30 05:08 UTC
From: Assigned: ab (profile)
Status: Closed Package: *Mail Related
PHP Version: 7.1 OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2019-03-29 10:09 UTC]
Running ext/standard/tests/mail/mail_basic_alt2-win32.phpt
sometimes yields Critical error detected c0000374, which indicates
a heap corruption.

Test script:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-29 10:19 UTC]
-Assigned To: +Assigned To: ab
 [2019-03-29 10:19 UTC]
Suggested fix for PHP 7.2:

For PHP 7.3 and up the situation is slightly different, since code
has been added to release one of the strings right away if
`zend_string_tolower()` returns a copy[1].  It seems to me that
this code should be removed (since it relies on internals of the
API), and the 7.2 fix be applied.

[1] <>
 [2019-03-31 06:52 UTC]
Is this but not present in 7.1?
 [2019-03-31 10:46 UTC]
What is the backtrace?

 [2019-03-31 10:55 UTC]
-PHP Version: 7.2Git-2019-03-29 (Git) +PHP Version: 7.1
 [2019-03-31 10:55 UTC]
Thanks, Stas!  Indeed, PHP-7.1 is affected as well, and the
suggested patch[1] has to be applied there, too.

Backtrace is:

ntdll.dll!00007ffb6e35aed2() (Unknown Source:0)
ntdll.dll!00007ffb6e36379e() (Unknown Source:0)
ntdll.dll!00007ffb6e363aaa() (Unknown Source:0)
ntdll.dll!00007ffb6e2febc1() (Unknown Source:0)
ntdll.dll!00007ffb6e30cd22() (Unknown Source:0)
ucrtbase.dll!00007ffb6a6ec7eb() (Unknown Source:0)
[Inline Frame] php7.dll!zend_string_free(_zend_string *) Line 264 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_string.h:264)
php7.dll!TSendMail(char * host, int * error, char * * error_message, char * headers, char * Subject, char * mailTo, char * data, char * mailCc, char * mailBcc, char * mailRPath) Line 312 (d:\php-sdk\phpdev\vc14\x64\php-src\win32\sendmail.c:312)
php7.dll!php_mail(char * to, char * subject, char * message, char * headers, char * extra_cmd) Line 342 (d:\php-sdk\phpdev\vc14\x64\php-src\ext\standard\mail.c:342)
php7.dll!zif_mail(_zend_execute_data * execute_data, _zval_struct * return_value) Line 174 (d:\php-sdk\phpdev\vc14\x64\php-src\ext\standard\mail.c:174)
php7.dll!ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER(_zend_execute_data * execute_data) Line 685 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:685)
php7.dll!execute_ex(_zend_execute_data * ex) Line 432 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:432)
php7.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 475 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend_vm_execute.h:475)
php7.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1483 (d:\php-sdk\phpdev\vc14\x64\php-src\Zend\zend.c:1483)
php7.dll!php_execute_script(_zend_file_handle * primary_file) Line 2577 (d:\php-sdk\phpdev\vc14\x64\php-src\main\main.c:2577)
php.exe!do_cli(int argc, char * * argv) Line 994 (d:\php-sdk\phpdev\vc14\x64\php-src\sapi\cli\php_cli.c:994)
php.exe!main(int argc, char * * argv) Line 1381 (d:\php-sdk\phpdev\vc14\x64\php-src\sapi\cli\php_cli.c:1381)
[Inline Frame] php.exe!invoke_main() Line 64 (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:64)
php.exe!__scrt_common_main_seh() Line 253 (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253)
kernel32.dll!00007ffb6e1881f4() (Unknown Source:0)

[1] <>
 [2019-03-31 12:05 UTC]
Thanks for the BT. The patch looks correct. I've no environment to test it right now, as it fixes for Christoph should be fine to include. Christoph, please add a test, if possible.

 [2019-03-31 12:10 UTC]
> Christoph, please add a test, if possible.

There is already mail_basic_alt2-win32.phpt wich is failing (at least sometimes) because of the bug.
 [2019-04-30 05:10 UTC]
Automatic comment on behalf of
Log: Fix #77821: Potential heap corruption in TSendMail()
 [2019-04-30 05:10 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Apr 16 06:01:30 2024 UTC