Merge branch 'PHP-8.5'

* PHP-8.5: Fix GH-20257: heap overflow on empty message in `lf` mode.
2026-03-24 00:02:20 +01:00 · 2025-10-22 21:28:35 +01:00
parent 375b6c28f1 d378dce3e9
commit f06e79e6f4
2 changed files with 40 additions and 21 deletions
--- a/ext/standard/mail.c
+++ b/ext/standard/mail.c
@@ -614,34 +614,36 @@ PHPAPI bool php_mail(const char *to, const char *subject, const char *message, c
 			size_t msg_len = strlen(message);
 			size_t new_len = 0;

-			for (size_t i = 0; i < msg_len - 1; ++i) {
-				if (message[i] == '\r' && message[i + 1] == '\n') {
-					++new_len;
-				}
-			}
-
-			if (new_len == 0) {
-				fprintf(sendmail, "%s", message);
-			} else {
-				converted_message = emalloc(msg_len - new_len + 1);
-				size_t j = 0;
-				for (size_t i = 0; i < msg_len; ++i) {
-					if (i < msg_len - 1 && message[i] == '\r' && message[i + 1] == '\n') {
-						converted_message[j++] = '\n';
-						++i; /* skip LF part */
-					} else {
-						converted_message[j++] = message[i];
+			if (msg_len > 0) {
+				for (size_t i = 0; i < msg_len - 1; ++i) {
+					if (message[i] == '\r' && message[i + 1] == '\n') {
+						++new_len;
 					}
 				}

-				converted_message[j] = '\0';
-				fprintf(sendmail, "%s", converted_message);
-				efree(converted_message);
+				if (new_len == 0) {
+					fprintf(sendmail, "%s", message);
+				} else {
+					converted_message = emalloc(msg_len - new_len + 1);
+					size_t j = 0;
+					for (size_t i = 0; i < msg_len; ++i) {
+						if (i < msg_len - 1 && message[i] == '\r' && message[i + 1] == '\n') {
+							converted_message[j++] = '\n';
+							++i; /* skip LF part */
+						} else {
+							converted_message[j++] = message[i];
+						}
+					}
+
+					converted_message[j] = '\0';
+					fprintf(sendmail, "%s", converted_message);
+					efree(converted_message);
+				}
 			}
 		} else {
 			fprintf(sendmail, "%s", message);
 		}
-		
+
 		fprintf(sendmail, "%s", line_sep);
 #ifdef PHP_WIN32
 		ret = pclose(sendmail);
--- a/ext/standard/tests/mail/gh20257.phpt
+++ b/ext/standard/tests/mail/gh20257.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-20257: heap overflow with empty message and mail.cr_lf_mode=lf set
+--INI--
+sendmail_path="exit 1"
+mail.cr_lf_mode=lf
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+$to = "user@example.com";
+$subject = $message = "";
+var_dump(mail($to, $subject, $message));
+?>
+--EXPECTF--
+
+Warning: mail(): Sendmail exited with non-zero exit code 1 in %s on line %d
+bool(false)