PHP :: Sec Bug #78943 :: mail() may release string with refcount==1 twice

Sec Bug #78943	mail() may release string with refcount==1 twice
Submitted:	2019-12-10 17:12 UTC	Modified:	2019-12-16 19:08 UTC
From:	cmb@php.net	Assigned:	stas (profile)
Status:	Closed	Package:	*Mail Related
PHP Version:	7.3.13RC1	OS:	Windows
Private report:	No	CVE-ID:	2019-11049

View Add Comment Developer Edit

[2019-12-10 17:12 UTC] cmb@php.net

Description:
------------
When a lower cased string[1] is passed as $additional_headers
argument to mail(), it may be zend_string_released() twice[2].  I
have noticed this when looking at PR #4995[3], where
bug72463_2.phpt often results in a segfault; I couldn't reproduce
the segfault with other versions, but still this double release
looks very wrong.

[1] <https://github.com/php/php-src/blob/php-7.3.12/win32/sendmail.c#L210-L213>
[2] <https://github.com/php/php-src/blob/php-7.3.12/win32/sendmail.c#L270-L273>
[3] <https://github.com/php/php-src/pull/4995>

Test script:
---------------
<?php
mail('cmbecker69@gmx.de', 'test', 'test message', 'from: cmbecker69@gmx.de');

Patches

add-fronk-support (last revision 2022-07-18 03:19 UTC by 1033831147 at qq dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-12-10 17:12 UTC] cmb@php.net

-Type: Bug +Type: Security -Private report: No +Private report: Yes

[2019-12-10 17:36 UTC] cmb@php.net

Issue has been introduced with commit a5bc5ae[1], so PHP 7.2 is
not affected.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=a5bc5aed71f7a15f14f33bb31b8e17bf5f327e2d>

[2019-12-10 17:37 UTC] cmb@php.net

-PHP Version: 7.2.26RC1 +PHP Version: 7.3.13RC1

[2019-12-10 17:38 UTC] cmb@php.net

-Operating System: * +Operating System: Windows

[2019-12-10 17:38 UTC] cmb@php.net

This affects Windows only.

[2019-12-10 17:45 UTC] cmb@php.net

-Assigned To: +Assigned To: stas

[2019-12-10 17:45 UTC] cmb@php.net

Suggested patch:
<https://gist.github.com/cmb69/712c3b2bec75aebf9c57344a026faa29>.

Stas, can you handle this please?

[2019-12-10 20:07 UTC] stas@php.net

Sure. Not clear how this got into PCRE2 patch?

[2019-12-16 19:07 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2019-11049

[2019-12-16 19:07 UTC] stas@php.net

Not sure it's even exploitable, but since mail could deal with external data, I'll add a CVE just in case.

[2019-12-16 19:08 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2019-12-16 19:08 UTC] stas@php.net

The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.

[2019-12-17 08:38 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=11893c8e665d285f72c2b8a0fbe01a3fcc03b806
Log: Fix #78943: mail() may release string with refcount==1 twice

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 16:01:28 2024 UTC