Fixed bug #69115 crash in mail

There were two issues

- php_pcre_replace could be used directly and sbject_str could be NULL
- the Windows sendmail variant was freeing something passed from the outside

Author: weltling

ext/pcre/php_pcre.c

@@ -1221,7 +1221,11 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su
 				new_len = result_len + subject_len - start_offset;
 				if (new_len > alloc_len) {
 					alloc_len = new_len; /* now we know exactly how long it is */
-					result = zend_string_realloc(result, alloc_len, 0);
+					if (NULL != result) {
+						result = zend_string_realloc(result, alloc_len, 0);
+					} else {
+						result = zend_string_alloc(alloc_len, 0);
+					}
 				}
 				/* stick that last bit of string on our output */
 				memcpy(&result->val[result_len], piece, subject_len - start_offset);

ext/standard/tests/mail/bug69115.phpt

@@ -0,0 +1,12 @@
+--TEST--
+Bug #69115 crash in mail (plus indirect pcre test)
+--FILE--
+<?php
+/* Just ensure it doesn't crash when trimming headers */
+$message = "Line 1\r\nLine 2\r\nLine 3";
+mail('[email protected]', 'My Subject', $message, "From: [email protected]");
+?>
+===DONE===
+--EXPECTF--
+%A
+===DONE===

win32/sendmail.c

@@ -292,7 +292,6 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message,
 			efree(RPath);
 		}
 		if (headers) {
-			efree(headers);
 			efree(headers_lc);
 		}
 		/* 128 is safe here, the specifier in snprintf isn't longer than that */