From 01d598aea34825f67089801ea61234de5d499aaf Mon Sep 17 00:00:00 2001
From: ndossche <niels.dossche@ugent.be>
Date: Tue, 20 Jan 2026 15:14:13 +0100
Subject: [PATCH] Fix memory leaks in php_array_to_X509_sk() when push fails

---
 ext/openssl/openssl.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 62ffa7f9200..39bfe912fc4 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -2581,7 +2581,10 @@ static STACK_OF(X509) *php_array_to_X509_sk(zval * zcerts, uint32_t arg_num, con
 				}
 
 			}
-			sk_X509_push(sk, cert);
+			if (sk_X509_push(sk, cert) <= 0) {
+				X509_free(cert);
+				goto push_fail_exit;
+			}
 		} ZEND_HASH_FOREACH_END();
 	} else {
 		/* a single certificate */
@@ -2599,11 +2602,20 @@ static STACK_OF(X509) *php_array_to_X509_sk(zval * zcerts, uint32_t arg_num, con
 				goto clean_exit;
 			}
 		}
-		sk_X509_push(sk, cert);
+		if (sk_X509_push(sk, cert) <= 0) {
+			X509_free(cert);
+			goto push_fail_exit;
+		}
 	}
 
 clean_exit:
 	return sk;
+
+push_fail_exit:
+	php_openssl_store_errors();
+	php_sk_X509_free(sk);
+	sk = NULL;
+	goto clean_exit;
 }
 /* }}} */