fix null pointer dereference in php_mail_detect_multiple_crlf via error_log

Author: jordikroon

ext/standard/basic_functions.c

@@ -1350,10 +1350,16 @@ PHPAPI zend_result _php_error_log(int opt_err, const zend_string *message, const
 	php_stream *stream = NULL;
 	size_t nbytes;
 
+	const char *to = NULL;
+	const char *hdrs = NULL;
+
 	switch (opt_err)
 	{
 		case 1:		/*send an email */
-			if (!php_mail(ZSTR_VAL(opt), "PHP error_log message", ZSTR_VAL(message), ZSTR_VAL(headers), NULL)) {
+			to = opt ? ZSTR_VAL(opt) : NULL;
+			hdrs = headers ? ZSTR_VAL(headers) : NULL;
+
+			if (!php_mail(to, "PHP error_log message", ZSTR_VAL(message), hdrs, NULL)) {
 				return FAILURE;
 			}
 			break;

tests/basic/gh20858.phpt

@@ -0,0 +1,35 @@
+--TEST--
+GH-20858 Null pointer dereference in php_mail_detect_multiple_crlf via error_log
+--INI--
+sendmail_path="cat > /tmp/php_test_gh20878.out"
+mail.force_extra_parameters="-n"
+mail.add_x_header = Off
+--SKIPIF--
+<?php
+if(substr(PHP_OS, 0, 3) == "WIN")
+  die("skip Won't run on Windows");
+?>
+--FILE--
+<?php
+
+$headers  = "From: test <mail@domain.tld>\n";
+$headers .= "Cc: test <mail@domain.tld>\n"; 
+$headers .= 'X-Mailer: PHP/' . phpversion();
+
+// Send mail with nothing set
+var_dump(error_log("Error message", 1, null));
+
+// Send mail with destination set
+var_dump(error_log("Error message with dest", 1, "default@domain.tld>", null));
+
+// Send mail with custom headers
+var_dump(error_log("Error message cust headers", 1, null, $headers));
+
+// Send mail with destination set + custom headers
+var_dump(error_log("Error message with both", 1, "default@domain.tld>", $headers));
+?>
+--EXPECTF--
+bool(true)
+bool(true)
+bool(true)
+bool(true)