Commit 20f9772063c for php.net

commit 20f9772063cc3eb1e021508adc1433b62b6e5a25
Author: Gina Peter Banyard <girgias@php.net>
Date:   Wed Dec 24 17:48:18 2025 +0100

    ext/standard: Fix memory leak in mail() when header key is numeric

    Closes GH-20776

diff --git a/NEWS b/NEWS
index 2fb8cd3620f..604f81d3078 100644
--- a/NEWS
+++ b/NEWS
@@ -57,6 +57,7 @@ PHP                                                                        NEWS

 - Standard:
   . Fix error check for proc_open() command. (ndossche)
+  . Fix memory leak in mail() when header key is numeric. (Girgias)

 18 Dec 2025, PHP 8.4.16

diff --git a/ext/standard/mail.c b/ext/standard/mail.c
index 35c23a0be76..c9b34fbdfc9 100644
--- a/ext/standard/mail.c
+++ b/ext/standard/mail.c
@@ -214,7 +214,8 @@ PHPAPI zend_string *php_mail_build_headers(HashTable *headers)
 	ZEND_HASH_FOREACH_KEY_VAL(headers, idx, key, val) {
 		if (!key) {
 			zend_type_error("Header name cannot be numeric, " ZEND_LONG_FMT " given", idx);
-			break;
+			smart_str_free(&s);
+			return NULL;
 		}
 		ZVAL_DEREF(val);
 		/* https://tools.ietf.org/html/rfc2822#section-3.6 */
diff --git a/ext/standard/tests/mail/gh20776.phpt b/ext/standard/tests/mail/gh20776.phpt
new file mode 100644
index 00000000000..aec68c47192
--- /dev/null
+++ b/ext/standard/tests/mail/gh20776.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-20776: mail() memory leak when header array contains numeric keys
+--FILE--
+<?php
+$to = "user@example.com";
+$subject = $message = "";
+
+try {
+    var_dump(mail($to, $subject, $message, ['RandomHeader' => 'Value', 5 => 'invalid key']));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+TypeError: Header name cannot be numeric, 5 given