php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78943 mail() may release string with refcount==1 twice
Submitted: 2019-12-10 17:12 UTC Modified: 2019-12-16 19:08 UTC
From: cmb@php.net Assigned: stas (profile)
Status: Closed Package: *Mail Related
PHP Version: 7.3.13RC1 OS: Windows
Private report: No CVE-ID: 2019-11049
 [2019-12-10 17:12 UTC] cmb@php.net
Description:
------------
When a lower cased string[1] is passed as $additional_headers
argument to mail(), it may be zend_string_released() twice[2].  I
have noticed this when looking at PR #4995[3], where
bug72463_2.phpt often results in a segfault; I couldn't reproduce
the segfault with other versions, but still this double release
looks very wrong.

[1] <https://github.com/php/php-src/blob/php-7.3.12/win32/sendmail.c#L210-L213>
[2] <https://github.com/php/php-src/blob/php-7.3.12/win32/sendmail.c#L270-L273>
[3] <https://github.com/php/php-src/pull/4995>

Test script:
---------------
<?php
mail('cmbecker69@gmx.de', 'test', 'test message', 'from: cmbecker69@gmx.de');


Patches

add-fronk-support (last revision 2022-07-18 03:19 UTC by 1033831147 at qq dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-10 17:12 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-12-10 17:36 UTC] cmb@php.net
Issue has been introduced with commit a5bc5ae[1], so PHP 7.2 is
not affected.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=a5bc5aed71f7a15f14f33bb31b8e17bf5f327e2d>
 [2019-12-10 17:37 UTC] cmb@php.net
-PHP Version: 7.2.26RC1 +PHP Version: 7.3.13RC1
 [2019-12-10 17:38 UTC] cmb@php.net
-Operating System: * +Operating System: Windows
 [2019-12-10 17:38 UTC] cmb@php.net
This affects Windows only.
 [2019-12-10 17:45 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2019-12-10 17:45 UTC] cmb@php.net
Suggested patch:
<https://gist.github.com/cmb69/712c3b2bec75aebf9c57344a026faa29>.

Stas, can you handle this please?
 [2019-12-10 20:07 UTC] stas@php.net
Sure. Not clear how this got into PCRE2 patch?
 [2019-12-16 19:07 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11049
 [2019-12-16 19:07 UTC] stas@php.net
Not sure it's even exploitable, but since mail could deal with external data, I'll add a CVE just in case.
 [2019-12-16 19:08 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-12-16 19:08 UTC] stas@php.net
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.


 [2019-12-17 08:38 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=11893c8e665d285f72c2b8a0fbe01a3fcc03b806
Log: Fix #78943: mail() may release string with refcount==1 twice
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 05:01:29 2024 UTC