mbstring: Fix memory leak in mail header parsing

iliaal · iliaal · commit 76141eac5870 · 2026-06-07T17:09:15.000-04:00
A header field name with no value (input ending at the colon) leaves
fld_name allocated but unreleased, since the cleanup blocks only fire
when both fld_name and fld_val are set. Release the dangling fld_name in
both the loop-body and end-of-input branches.
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
@@ -4453,6 +4453,9 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t
 
 								zend_string_release_ex(fld_name, 0);
 							}
+							else if (fld_name != NULL) {
+								zend_string_release_ex(fld_name, 0);
+							}
 
 							fld_name = fld_val = NULL;
 							token = (char*)ps;
@@ -4498,6 +4501,9 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t
 
 			zend_string_release_ex(fld_name, 0);
 		}
+		else if (fld_name != NULL) {
+			zend_string_release_ex(fld_name, 0);
+		}
 	}
 	return state;
 }

Original file line number	Diff line number	Diff line change
`@@ -4453,6 +4453,9 @@ static int _php_mbstr_parse_mail_headers(HashTable ht, const char str, size_t`
`4453`	`4453`
`4454`	`4454`	`zend_string_release_ex(fld_name, 0);`
`4455`	`4455`	`}`
	`4456`	`+ else if (fld_name != NULL) {`
	`4457`	`+ zend_string_release_ex(fld_name, 0);`
	`4458`	`+ }`
`4456`	`4459`
`4457`	`4460`	`fld_name = fld_val = NULL;`
`4458`	`4461`	`token = (char*)ps;`
`@@ -4498,6 +4501,9 @@ static int _php_mbstr_parse_mail_headers(HashTable ht, const char str, size_t`
`4498`	`4501`
`4499`	`4502`	`zend_string_release_ex(fld_name, 0);`
`4500`	`4503`	`}`
	`4504`	`+ else if (fld_name != NULL) {`
	`4505`	`+ zend_string_release_ex(fld_name, 0);`
	`4506`	`+ }`
`4501`	`4507`	`}`
`4502`	`4508`	`return state;`
`4503`	`4509`	`}`