From 8f1b7c2afeb530015656f0c3702fa9367d13d782 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Sun, 7 Jun 2026 16:21:59 -0400 Subject: [PATCH] mbstring: Fix memory leak in mail header parsing A header field name with no value (input ending at the colon) leaves fld_name allocated but unreleased, since the cleanup blocks only fire when both fld_name and fld_val are set. Release the dangling fld_name in both the loop-body and end-of-input branches. --- ext/mbstring/mbstring.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c index e90b43f156ac..c3394e79f021 100644 --- a/ext/mbstring/mbstring.c +++ b/ext/mbstring/mbstring.c @@ -4444,12 +4444,14 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t fld_val = zend_string_init(token, token_pos, 0); } - if (fld_name != NULL && fld_val != NULL) { - zval val; - zend_str_tolower(ZSTR_VAL(fld_name), ZSTR_LEN(fld_name)); - ZVAL_STR(&val, fld_val); + if (fld_name != NULL) { + if (fld_val != NULL) { + zval val; + zend_str_tolower(ZSTR_VAL(fld_name), ZSTR_LEN(fld_name)); + ZVAL_STR(&val, fld_val); - zend_hash_update(ht, fld_name, &val); + zend_hash_update(ht, fld_name, &val); + } zend_string_release_ex(fld_name, 0); } @@ -4490,11 +4492,13 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t if(token && token_pos > 0) { fld_val = zend_string_init(token, token_pos, 0); } - if (fld_name != NULL && fld_val != NULL) { - zval val; - zend_str_tolower(ZSTR_VAL(fld_name), ZSTR_LEN(fld_name)); - ZVAL_STR(&val, fld_val); - zend_hash_update(ht, fld_name, &val); + if (fld_name != NULL) { + if (fld_val != NULL) { + zval val; + zend_str_tolower(ZSTR_VAL(fld_name), ZSTR_LEN(fld_name)); + ZVAL_STR(&val, fld_val); + zend_hash_update(ht, fld_name, &val); + } zend_string_release_ex(fld_name, 0); }