Fix GH-20858: null pointer dereference in php_mail_detect_multiple_crlf via error_log

jordikroon · devnexen · commit 51b1aa160deb · 2026-01-10T00:51:25.000Z
close GH-20862
diff --git a/NEWS b/NEWS
@@ -31,6 +31,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI
     small value). (David Carlier)
 
+- Mail:
+  . Fixed bug GH-20862 (null pointer dereference in 
+    php_mail_detect_multiple_crlf via error_log (jordikroon)
+
 - Mbstring:
   . ini_set() with mbstring.detect_order changes the order of mb_detect_order
     as intended, since mbstring.detect_order is an INI_ALL setting. (tobee94)
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
@@ -1349,11 +1349,17 @@ PHPAPI zend_result _php_error_log(int opt_err, const zend_string *message, const
 {
 	php_stream *stream = NULL;
 	size_t nbytes;
+	const char *hdrs = NULL;
 
 	switch (opt_err)
 	{
 		case 1:		/*send an email */
-			if (!php_mail(ZSTR_VAL(opt), "PHP error_log message", ZSTR_VAL(message), ZSTR_VAL(headers), NULL)) {
+			if (!opt) {
+				return FAILURE;
+			}
+
+			hdrs = headers ? ZSTR_VAL(headers) : NULL;
+			if (!php_mail(ZSTR_VAL(opt), "PHP error_log message", ZSTR_VAL(message), hdrs, NULL)) {
 				return FAILURE;
 			}
 			break;
diff --git a/tests/basic/gh20858.phpt b/tests/basic/gh20858.phpt
@@ -0,0 +1,36 @@
+--TEST--
+GH-20858 Null pointer dereference in php_mail_detect_multiple_crlf via error_log
+--INI--
+sendmail_path={MAIL:{PWD}/gh20858.eml}
+mail.add_x_header=off
+--FILE--
+<?php
+
+$headers  = "From: test <mail@domain.tld>\n";
+$headers .= "Cc: test <mail@domain.tld>\n"; 
+$headers .= 'X-Mailer: PHP/' . phpversion();
+
+// Send mail with nothing set
+var_dump(error_log("Error message", 1, null));
+
+// Send mail with destination set
+var_dump(error_log("Error message with dest", 1, "default@domain.tld", null));
+
+// Send mail with custom headers and no mailer to
+var_dump(error_log("Error message cust headers", 1, null, $headers));
+
+// Send mail with destination set + custom headers
+var_dump(error_log("Error message with both", 1, "default@domain.tld", $headers));
+?>
+--CLEAN--
+<?php
+$filePath = __DIR__ . "/gh20858.eml";
+if (file_exists($filePath)) {
+    unlink($filePath);
+}
+?>
+--EXPECTF--
+bool(false)
+bool(true)
+bool(false)
+bool(true)

Original file line number	Diff line number	Diff line change
`@@ -1349,11 +1349,17 @@ PHPAPI zend_result _php_error_log(int opt_err, const zend_string *message, const`
`1349`	`1349`	`{`
`1350`	`1350`	`php_stream *stream = NULL;`
`1351`	`1351`	`size_t nbytes;`
	`1352`	`+ const char *hdrs = NULL;`
`1352`	`1353`
`1353`	`1354`	`switch (opt_err)`
`1354`	`1355`	`{`
`1355`	`1356`	`case 1: /send an email /`
`1356`		`- if (!php_mail(ZSTR_VAL(opt), "PHP error_log message", ZSTR_VAL(message), ZSTR_VAL(headers), NULL)) {`
	`1357`	`+ if (!opt) {`
	`1358`	`+ return FAILURE;`
	`1359`	`+ }`
	`1360`	`+`
	`1361`	`+ hdrs = headers ? ZSTR_VAL(headers) : NULL;`
	`1362`	`+ if (!php_mail(ZSTR_VAL(opt), "PHP error_log message", ZSTR_VAL(message), hdrs, NULL)) {`
`1357`	`1363`	`return FAILURE;`
`1358`	`1364`	`}`
`1359`	`1365`	`break;`