From 39b05c25ed0c216fcfef870cd6189986cf6069ef Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Wed, 24 Dec 2025 17:48:18 +0100
Subject: [PATCH] ext/standard: Fix memory leak in mail() when header key is
 numeric

---
 ext/standard/mail.c                  |  3 ++-
 ext/standard/tests/mail/gh20776.phpt | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/mail/gh20776.phpt

diff --git a/ext/standard/mail.c b/ext/standard/mail.c
index 35c23a0be76c0..c9b34fbdfc92d 100644
--- a/ext/standard/mail.c
+++ b/ext/standard/mail.c
@@ -214,7 +214,8 @@ PHPAPI zend_string *php_mail_build_headers(HashTable *headers)
 	ZEND_HASH_FOREACH_KEY_VAL(headers, idx, key, val) {
 		if (!key) {
 			zend_type_error("Header name cannot be numeric, " ZEND_LONG_FMT " given", idx);
-			break;
+			smart_str_free(&s);
+			return NULL;
 		}
 		ZVAL_DEREF(val);
 		/* https://tools.ietf.org/html/rfc2822#section-3.6 */
diff --git a/ext/standard/tests/mail/gh20776.phpt b/ext/standard/tests/mail/gh20776.phpt
new file mode 100644
index 0000000000000..aec68c4719202
--- /dev/null
+++ b/ext/standard/tests/mail/gh20776.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-20776: mail() memory leak when header array contains numeric keys
+--FILE--
+<?php
+$to = "user@example.com";
+$subject = $message = "";
+
+try {
+    var_dump(mail($to, $subject, $message, ['RandomHeader' => 'Value', 5 => 'invalid key']));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+TypeError: Header name cannot be numeric, 5 given