Skip to content

Commit f06e79e

Browse files
devnexendevnexen
committed
Merge branch 'PHP-8.5'
* PHP-8.5: Fix phpGH-20257: heap overflow on empty message in `lf` mode.
2 parents 375b6c2 + d378dce commit f06e79e

File tree

2 files changed

+39
-20
lines changed

2 files changed

+39
-20
lines changed

ext/standard/mail.c

Lines changed: 22 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -614,34 +614,36 @@ PHPAPI bool php_mail(const char *to, const char *subject, const char *message, c
614614
size_t msg_len = strlen(message);
615615
size_t new_len = 0;
616616

617-
for (size_t i = 0; i < msg_len - 1; ++i) {
618-
if (message[i] == '\r' && message[i + 1] == '\n') {
619-
++new_len;
617+
if (msg_len > 0) {
618+
for (size_t i = 0; i < msg_len - 1; ++i) {
619+
if (message[i] == '\r' && message[i + 1] == '\n') {
620+
++new_len;
621+
}
620622
}
621-
}
622623

623-
if (new_len == 0) {
624-
fprintf(sendmail, "%s", message);
625-
} else {
626-
converted_message = emalloc(msg_len - new_len + 1);
627-
size_t j = 0;
628-
for (size_t i = 0; i < msg_len; ++i) {
629-
if (i < msg_len - 1 && message[i] == '\r' && message[i + 1] == '\n') {
630-
converted_message[j++] = '\n';
631-
++i; /* skip LF part */
632-
} else {
633-
converted_message[j++] = message[i];
624+
if (new_len == 0) {
625+
fprintf(sendmail, "%s", message);
626+
} else {
627+
converted_message = emalloc(msg_len - new_len + 1);
628+
size_t j = 0;
629+
for (size_t i = 0; i < msg_len; ++i) {
630+
if (i < msg_len - 1 && message[i] == '\r' && message[i + 1] == '\n') {
631+
converted_message[j++] = '\n';
632+
++i; /* skip LF part */
633+
} else {
634+
converted_message[j++] = message[i];
635+
}
634636
}
635-
}
636637

637-
converted_message[j] = '\0';
638-
fprintf(sendmail, "%s", converted_message);
639-
efree(converted_message);
638+
converted_message[j] = '\0';
639+
fprintf(sendmail, "%s", converted_message);
640+
efree(converted_message);
641+
}
640642
}
641643
} else {
642644
fprintf(sendmail, "%s", message);
643645
}
644-
646+
645647
fprintf(sendmail, "%s", line_sep);
646648
#ifdef PHP_WIN32
647649
ret = pclose(sendmail);

ext/standard/tests/mail/gh20257.phpt

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
--TEST--
2+
GH-20257: heap overflow with empty message and mail.cr_lf_mode=lf set
3+
--INI--
4+
sendmail_path="exit 1"
5+
mail.cr_lf_mode=lf
6+
--CREDITS--
7+
YuanchengJiang
8+
--FILE--
9+
<?php
10+
$to = "[email protected]";
11+
$subject = $message = "";
12+
var_dump(mail($to, $subject, $message));
13+
?>
14+
--EXPECTF--
15+
16+
Warning: mail(): Sendmail exited with non-zero exit code 1 in %s on line %d
17+
bool(false)

0 commit comments

Comments
 (0)