From e6c8ef4a74557e4e986f2580813f6303c36fae60 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Fri, 19 Jun 2026 08:46:07 -0400
Subject: [PATCH] Fix memory leak when a plain parameter repeats an RFC2231
 name

---
 php_mailparse_mime.c                    |  5 +++++
 tests/rfc2231_duplicate_plain_name.phpt | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 tests/rfc2231_duplicate_plain_name.phpt

diff --git a/php_mailparse_mime.c b/php_mailparse_mime.c
index 13caa99..5e8e5bf 100644
--- a/php_mailparse_mime.c
+++ b/php_mailparse_mime.c
@@ -267,6 +267,11 @@ static struct php_mimeheader_with_attributes *php_mimeheader_alloc_from_tok(php_
 						}
 
 						namechanged = 0;
+					} else if (name && name != name_buf) {
+						/* plain parameter repeating the active RFC2231 name
+						 * (a separate allocation from name_buf): free the name
+						 * that would otherwise leak */
+						efree(name);
 					}
 				} else {
 					add_assoc_string(&attr->attributes, name, value);
diff --git a/tests/rfc2231_duplicate_plain_name.phpt b/tests/rfc2231_duplicate_plain_name.phpt
new file mode 100644
index 0000000..cbb54d1
--- /dev/null
+++ b/tests/rfc2231_duplicate_plain_name.phpt
@@ -0,0 +1,20 @@
+--TEST--
+A plain parameter repeating an RFC2231 encoded name does not leak the name
+--SKIPIF--
+<?php if (!extension_loaded("mailparse")) print "skip"; ?>
+--FILE--
+<?php
+/* "URL*0=a" opens an RFC2231 continuation named URL; the following plain
+ * "URL=b" repeats that base name. The duplicate name string used to leak. */
+$m = mailparse_msg_create();
+mailparse_msg_parse($m, "Content-Type: text/plain; URL*0=\"a\"; URL=\"b\"\r\n\r\nbody\r\n");
+$d = mailparse_msg_get_part_data($m);
+var_dump($d["content-type"]);
+var_dump($d["content-url"]);
+mailparse_msg_free($m);
+echo "done\n";
+?>
+--EXPECT--
+string(10) "text/plain"
+string(1) "a"
+done