From 7610527d756cb024215533950a41a3813e9b79e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Tue, 18 Nov 2025 17:30:51 +0100
Subject: [PATCH] lexbor: Cherry pick "URL: fixed "use-after-poison" for an
 empty path entry."

see lexbor/lexbor@9259b169e3cdaed9c61622dab92abb457bb8ddf5

Fixes php/php-src#20502
Fixes php/php-src#20521
---
 NEWS                        |  2 ++
 ext/lexbor/lexbor/url/url.c | 27 +++++++++++++++++----------
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index 469edebbb67..daf490e95f4 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,8 @@ PHP                                                                        NEWS
 - Lexbor:
   . Fixed bug GH-20501 (\Uri\WhatWg\Url lose host after calling
     withPath() or withQuery()). (lexborisov)
+  . Fixed bug GH-20502 (\Uri\WhatWg\Url crashes (SEGV) when parsing
+    malformed URL due to Lexbor memory corruption). (lexborisov)
 
 - Opcache:
   . Fixed bug GH-20329 (opcache.file_cache broken with full interned string
diff --git a/ext/lexbor/lexbor/url/url.c b/ext/lexbor/lexbor/url/url.c
index 99ba809b05f..3483013eeaa 100644
--- a/ext/lexbor/lexbor/url/url.c
+++ b/ext/lexbor/lexbor/url/url.c
@@ -1029,27 +1029,34 @@ lxb_url_path_append_wo_slash(lxb_url_t *url,
 static lxb_status_t
 lxb_url_path_append(lxb_url_t *url, const lxb_char_t *data, size_t length)
 {
-    size_t len;
-    lxb_char_t *p;
+    lxb_char_t *p, *begin;
     lexbor_str_t *str;
 
     str = &url->path.str;
 
     if (str->data == NULL) {
         p = lexbor_str_init(str, url->mraw, length + 1);
-        if (p == NULL) {
-            return LXB_STATUS_ERROR_MEMORY_ALLOCATION;
-        }
+    }
+    else {
+        /* + 2 == begin '/' and end '\0' */
+        p = lexbor_str_check_size(str, url->mraw, length + 2);
     }
 
-    len = str->length;
-    str->length += 1;
+    if (p == NULL) {
+        return LXB_STATUS_ERROR_MEMORY_ALLOCATION;
+    }
 
-    p = lexbor_str_append(&url->path.str, url->mraw, data, length);
+    begin = &str->data[str->length];
+    begin[0] = '/';
 
-    str->data[len] = '/';
+    if (length > 0) {
+        memcpy(&begin[1], data, sizeof(lxb_char_t) * length);
+    }
 
-    return (p != NULL) ? LXB_STATUS_OK : LXB_STATUS_ERROR_MEMORY_ALLOCATION;
+    str->length += length + 1;
+    str->data[str->length] = '\0';
+
+    return LXB_STATUS_OK;
 }
 
 static lxb_status_t