diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 1720a66933385..5cb8a4ac7bd49 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -52,6 +52,7 @@
 /ext/sockets @devnexen
 /ext/spl @Girgias
 /ext/standard @bukka
+/ext/tidy @nielsdos
 /ext/uri @kocsismate @TimWolla
 /ext/xml @nielsdos
 /ext/xmlreader @nielsdos
diff --git a/EXTENSIONS b/EXTENSIONS
index 5cce4ae7c9232..f040afcced6e9 100644
--- a/EXTENSIONS
+++ b/EXTENSIONS
@@ -495,6 +495,7 @@ EXTENSION:           tidy
 PRIMARY MAINTAINER:  John Coggeshall <john@php.net> (2003 - 2006)
                      Ilia Alshanetsky <iliaa@php.net> (2003 - 2009)
                      Nuno Lopes <nlopess@php.net> (2006 - 2012)
+                     Niels Dossche <nielsdos@php.net> (2025 - 2025)
 MAINTENANCE:         Maintained
 STATUS:              Working
 -------------------------------------------------------------------------------
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index c8863a4b27ad5..69665c5bbbb1f 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -4935,7 +4935,7 @@ static void cleanup_live_vars(zend_execute_data *execute_data, uint32_t op_num,
 					if (last->opcode == ZEND_ROPE_INIT) {
 						zend_string_release_ex(*rope, 0);
 					} else {
-						int j = last->extended_value;
+						uint32_t j = last->extended_value;
 						do {
 							zend_string_release_ex(rope[j], 0);
 						} while (j--);
diff --git a/ext/standard/mail.c b/ext/standard/mail.c
index f6161782bdd76..8c8b4e6717e0b 100644
--- a/ext/standard/mail.c
+++ b/ext/standard/mail.c
@@ -614,34 +614,36 @@ PHPAPI bool php_mail(const char *to, const char *subject, const char *message, c
 			size_t msg_len = strlen(message);
 			size_t new_len = 0;
 
-			for (size_t i = 0; i < msg_len - 1; ++i) {
-				if (message[i] == '\r' && message[i + 1] == '\n') {
-					++new_len;
+			if (msg_len > 0) {
+				for (size_t i = 0; i < msg_len - 1; ++i) {
+					if (message[i] == '\r' && message[i + 1] == '\n') {
+						++new_len;
+					}
 				}
-			}
 
-			if (new_len == 0) {
-				fprintf(sendmail, "%s", message);
-			} else {
-				converted_message = emalloc(msg_len - new_len + 1);
-				size_t j = 0;
-				for (size_t i = 0; i < msg_len; ++i) {
-					if (i < msg_len - 1 && message[i] == '\r' && message[i + 1] == '\n') {
-						converted_message[j++] = '\n';
-						++i; /* skip LF part */
-					} else {
-						converted_message[j++] = message[i];
+				if (new_len == 0) {
+					fprintf(sendmail, "%s", message);
+				} else {
+					converted_message = emalloc(msg_len - new_len + 1);
+					size_t j = 0;
+					for (size_t i = 0; i < msg_len; ++i) {
+						if (i < msg_len - 1 && message[i] == '\r' && message[i + 1] == '\n') {
+							converted_message[j++] = '\n';
+							++i; /* skip LF part */
+						} else {
+							converted_message[j++] = message[i];
+						}
 					}
-				}
 
-				converted_message[j] = '\0';
-				fprintf(sendmail, "%s", converted_message);
-				efree(converted_message);
+					converted_message[j] = '\0';
+					fprintf(sendmail, "%s", converted_message);
+					efree(converted_message);
+				}
 			}
 		} else {
 			fprintf(sendmail, "%s", message);
 		}
-		
+
 		fprintf(sendmail, "%s", line_sep);
 #ifdef PHP_WIN32
 		ret = pclose(sendmail);
diff --git a/ext/standard/tests/mail/gh20257.phpt b/ext/standard/tests/mail/gh20257.phpt
new file mode 100644
index 0000000000000..68374173413fc
--- /dev/null
+++ b/ext/standard/tests/mail/gh20257.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-20257: heap overflow with empty message and mail.cr_lf_mode=lf set
+--INI--
+sendmail_path="exit 1"
+mail.cr_lf_mode=lf
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+$to = "user@example.com";
+$subject = $message = "";
+var_dump(mail($to, $subject, $message));
+?>
+--EXPECTF--
+
+Warning: mail(): Sendmail exited with non-zero exit code 1 in %s on line %d
+bool(false)