php · iliaal · Jun 19, 2026
diff --git a/php_mailparse_mime.c b/php_mailparse_mime.c
@@ -267,6 +267,11 @@ static struct php_mimeheader_with_attributes *php_mimeheader_alloc_from_tok(php_
 						}
 
 						namechanged = 0;
+					} else if (name && name != name_buf) {
+						/* plain parameter repeating the active RFC2231 name
+						 * (a separate allocation from name_buf): free the name
+						 * that would otherwise leak */
+						efree(name);
 					}
 				} else {
 					add_assoc_string(&attr->attributes, name, value);

diff --git a/tests/rfc2231_duplicate_plain_name.phpt b/tests/rfc2231_duplicate_plain_name.phpt
@@ -0,0 +1,20 @@
+--TEST--
+A plain parameter repeating an RFC2231 encoded name does not leak the name
+--SKIPIF--
+<?php if (!extension_loaded("mailparse")) print "skip"; ?>
+--FILE--
+<?php
+/* "URL*0=a" opens an RFC2231 continuation named URL; the following plain
+ * "URL=b" repeats that base name. The duplicate name string used to leak. */
+$m = mailparse_msg_create();
+mailparse_msg_parse($m, "Content-Type: text/plain; URL*0=\"a\"; URL=\"b\"\r\n\r\nbody\r\n");
+$d = mailparse_msg_get_part_data($m);
+var_dump($d["content-type"]);
+var_dump($d["content-url"]);
+mailparse_msg_free($m);
+echo "done\n";
+?>
+--EXPECT--
+string(10) "text/plain"
+string(1) "a"
+done