From 20f9772063cc3eb1e021508adc1433b62b6e5a25 Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Wed, 24 Dec 2025 17:48:18 +0100
Subject: [PATCH] ext/standard: Fix memory leak in mail() when header key is
 numeric

Closes GH-20776
---
 NEWS                                 |  1 +
 ext/standard/mail.c                  |  3 ++-
 ext/standard/tests/mail/gh20776.phpt | 15 +++++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/mail/gh20776.phpt

diff --git a/NEWS b/NEWS
index 2fb8cd3620f..604f81d3078 100644
--- a/NEWS
+++ b/NEWS
@@ -57,6 +57,7 @@ PHP                                                                        NEWS
 
 - Standard:
   . Fix error check for proc_open() command. (ndossche)
+  . Fix memory leak in mail() when header key is numeric. (Girgias)
 
 18 Dec 2025, PHP 8.4.16
 
diff --git a/ext/standard/mail.c b/ext/standard/mail.c
index 35c23a0be76..c9b34fbdfc9 100644
--- a/ext/standard/mail.c
+++ b/ext/standard/mail.c
@@ -214,7 +214,8 @@ PHPAPI zend_string *php_mail_build_headers(HashTable *headers)
 	ZEND_HASH_FOREACH_KEY_VAL(headers, idx, key, val) {
 		if (!key) {
 			zend_type_error("Header name cannot be numeric, " ZEND_LONG_FMT " given", idx);
-			break;
+			smart_str_free(&s);
+			return NULL;
 		}
 		ZVAL_DEREF(val);
 		/* https://tools.ietf.org/html/rfc2822#section-3.6 */
diff --git a/ext/standard/tests/mail/gh20776.phpt b/ext/standard/tests/mail/gh20776.phpt
new file mode 100644
index 00000000000..aec68c47192
--- /dev/null
+++ b/ext/standard/tests/mail/gh20776.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-20776: mail() memory leak when header array contains numeric keys
+--FILE--
+<?php
+$to = "user@example.com";
+$subject = $message = "";
+
+try {
+    var_dump(mail($to, $subject, $message, ['RandomHeader' => 'Value', 5 => 'invalid key']));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+TypeError: Header name cannot be numeric, 5 given