Fix GH-20257: heap overflow on empty message in lf mode.

close GH-20258
2026-04-29 19:23:22 +02:00 · 2025-10-22 07:18:23 +01:00
parent f8d804b9ee
commit d378dce3e9
3 changed files with 44 additions and 21 deletions
@@ -6,6 +6,10 @@ PHP                                                                        NEWS
  . Fixed bug GH-20217 (ReflectionClass::isIterable() incorrectly returns true
    for classes with property hooks). (alexandre-daubois)

+- Standard:
+  . Fixed bug GH-20257 (mail() heap overflow with an empty message in lf mode).
+    (David Carlier)
+
 23 Oct 2025, PHP 8.5.0RC3

 - Core:
@@ -614,34 +614,36 @@ PHPAPI bool php_mail(const char *to, const char *subject, const char *message, c
 			size_t msg_len = strlen(message);
 			size_t new_len = 0;

-			for (size_t i = 0; i < msg_len - 1; ++i) {
-				if (message[i] == '\r' && message[i + 1] == '\n') {
-					++new_len;
-				}
-			}
-
-			if (new_len == 0) {
-				fprintf(sendmail, "%s", message);
-			} else {
-				converted_message = emalloc(msg_len - new_len + 1);
-				size_t j = 0;
-				for (size_t i = 0; i < msg_len; ++i) {
-					if (i < msg_len - 1 && message[i] == '\r' && message[i + 1] == '\n') {
-						converted_message[j++] = '\n';
-						++i; /* skip LF part */
-					} else {
-						converted_message[j++] = message[i];
+			if (msg_len > 0) {
+				for (size_t i = 0; i < msg_len - 1; ++i) {
+					if (message[i] == '\r' && message[i + 1] == '\n') {
+						++new_len;
 					}
 				}

-				converted_message[j] = '\0';
-				fprintf(sendmail, "%s", converted_message);
-				efree(converted_message);
+				if (new_len == 0) {
+					fprintf(sendmail, "%s", message);
+				} else {
+					converted_message = emalloc(msg_len - new_len + 1);
+					size_t j = 0;
+					for (size_t i = 0; i < msg_len; ++i) {
+						if (i < msg_len - 1 && message[i] == '\r' && message[i + 1] == '\n') {
+							converted_message[j++] = '\n';
+							++i; /* skip LF part */
+						} else {
+							converted_message[j++] = message[i];
+						}
+					}
+
+					converted_message[j] = '\0';
+					fprintf(sendmail, "%s", converted_message);
+					efree(converted_message);
+				}
 			}
 		} else {
 			fprintf(sendmail, "%s", message);
 		}
-		
+
 		fprintf(sendmail, "%s", line_sep);
 #ifdef PHP_WIN32
 		ret = pclose(sendmail);
@@ -0,0 +1,17 @@
+--TEST--
+GH-20257: heap overflow with empty message and mail.cr_lf_mode=lf set
+--INI--
+sendmail_path="exit 1"
+mail.cr_lf_mode=lf
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+$to = "user@example.com";
+$subject = $message = "";
+var_dump(mail($to, $subject, $message));
+?>
+--EXPECTF--
+
+Warning: mail(): Sendmail exited with non-zero exit code 1 in %s on line %d
+bool(false)