|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78943 mail() may release string with refcount==1 twice
Submitted: 2019-12-10 17:12 UTC Modified: 2019-12-16 19:08 UTC
From: Assigned: stas (profile)
Status: Closed Package: *Mail Related
PHP Version: 7.3.13RC1 OS: Windows
Private report: No CVE-ID: 2019-11049
 [2019-12-10 17:12 UTC]
When a lower cased string[1] is passed as $additional_headers
argument to mail(), it may be zend_string_released() twice[2].  I
have noticed this when looking at PR #4995[3], where
bug72463_2.phpt often results in a segfault; I couldn't reproduce
the segfault with other versions, but still this double release
looks very wrong.

[1] <>
[2] <>
[3] <>

Test script:
mail('', 'test', 'test message', 'from:');


add-fronk-support (last revision 2022-07-18 03:19 UTC by 1033831147 at qq dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-10 17:12 UTC]
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-12-10 17:36 UTC]
Issue has been introduced with commit a5bc5ae[1], so PHP 7.2 is
not affected.

[1] <;a=commit;h=a5bc5aed71f7a15f14f33bb31b8e17bf5f327e2d>
 [2019-12-10 17:37 UTC]
-PHP Version: 7.2.26RC1 +PHP Version: 7.3.13RC1
 [2019-12-10 17:38 UTC]
-Operating System: * +Operating System: Windows
 [2019-12-10 17:38 UTC]
This affects Windows only.
 [2019-12-10 17:45 UTC]
-Assigned To: +Assigned To: stas
 [2019-12-10 17:45 UTC]
Suggested patch:

Stas, can you handle this please?
 [2019-12-10 20:07 UTC]
Sure. Not clear how this got into PCRE2 patch?
 [2019-12-16 19:07 UTC]
-CVE-ID: +CVE-ID: 2019-11049
 [2019-12-16 19:07 UTC]
Not sure it's even exploitable, but since mail could deal with external data, I'll add a CVE just in case.
 [2019-12-16 19:08 UTC]
-Status: Assigned +Status: Closed
 [2019-12-16 19:08 UTC]
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from and re-test.
Thank you for the report, and for helping us make PHP better.

 [2019-12-17 08:38 UTC]
Automatic comment on behalf of
Log: Fix #78943: mail() may release string with refcount==1 twice
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 24 04:01:31 2024 UTC