From 11ea995ff3966ae2c5bf2bceb5a6853ca68401d5 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 1 Jul 2025 00:44:50 +0200
Subject: [PATCH 1/3] curl: Remove incorrect string release on error

The string is owned by the caller, and the caller releases it.

Closes GH-18989.
---
 NEWS                 | 1 +
 ext/curl/interface.c | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 259270fdfcf..22f667e5744 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,7 @@ PHP                                                                        NEWS
 - Curl:
   . Fix memory leaks when returning refcounted value from curl callback.
     (nielsdos)
+  . Remove incorrect string release. (nielsdos)
 
 - LDAP:
   . Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 6c480907b76..b3139422cff 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -1369,7 +1369,6 @@ static inline CURLcode add_simple_field(struct HttpPost **first, struct HttpPost
 	part = curl_mime_addpart(mime);
 	if (part == NULL) {
 		zend_tmp_string_release(tmp_postval);
-		zend_string_release_ex(string_key, 0);
 		return CURLE_OUT_OF_MEMORY;
 	}
 	if ((form_error = curl_mime_name(part, ZSTR_VAL(string_key))) != CURLE_OK

From 09c223de00af9b312e49db7bbc915aefaca5dbf8 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 1 Jul 2025 21:10:33 +0200
Subject: [PATCH 2/3] Fix leak when path is too long in ZipArchive::extractTo()

I did not find an easy way to trigger this branch without also
triggering some other error conditions earlier.

Closes GH-19002.
---
 NEWS              | 3 +++
 ext/zip/php_zip.c | 1 +
 2 files changed, 4 insertions(+)

diff --git a/NEWS b/NEWS
index 22f667e5744..5df4c88e972 100644
--- a/NEWS
+++ b/NEWS
@@ -42,6 +42,9 @@ PHP                                                                        NEWS
   . Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter
     fatal error). (Jakub Zelenka)
 
+- Zip:
+  . Fix leak when path is too long in ZipArchive::extractTo(). (nielsdos)
+
 03 Jul 2025, PHP 8.3.23
 
 - Core:
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index 62f51ce9f35..3710b304c35 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -218,6 +218,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, const char *file, s
 		return 0;
 	} else if (len > MAXPATHLEN) {
 		php_error_docref(NULL, E_WARNING, "Full extraction path exceed MAXPATHLEN (%i)", MAXPATHLEN);
+		efree(fullpath);
 		efree(file_dirname_fullpath);
 		zend_string_release_ex(file_basename, 0);
 		CWD_STATE_FREE(new_state.cwd);

From 69328ba304f2a47e0e9b3ba872db5681982efb96 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 1 Jul 2025 19:50:52 +0200
Subject: [PATCH 3/3] Fix GH-18990, bug #81029, bug #47314: SOAP HTTP socket
 not closing on object destruction

Currently the resource is attached to the object and its refcount is
increased. This means that the refcount to the resource is 2 instead of
1 as expected. A refcount of 2 is necessary in the current code because
of how the error handling works: by using convert_to_null() the resource
actually goes to rc_dtor_func(), dropping its refcount to 1. So on error
the refcount is correct.
To solve the issue, let `stream` conceptually be a borrow of the
resource with refcount 1, and just use ZVAL_NULL() to prevent calling
rc_dtor_func() on the resource.

Closes GH-19001.
---
 NEWS                             |  4 +++
 ext/soap/php_http.c              | 21 +++++-------
 ext/soap/tests/bugs/gh18990.phpt | 58 ++++++++++++++++++++++++++++++++
 3 files changed, 71 insertions(+), 12 deletions(-)
 create mode 100644 ext/soap/tests/bugs/gh18990.phpt

diff --git a/NEWS b/NEWS
index 5df4c88e972..08be236abbd 100644
--- a/NEWS
+++ b/NEWS
@@ -32,6 +32,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or
     pcntl_forkx() with zend-max-execution-timers). (Arnaud)
 
+- SOAP:
+  . Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing
+    on object destruction). (nielsdos)
+
 - Standard:
   . Fix misleading errors in printf(). (nielsdos)
   . Fix RCN violations in array functions. (nielsdos)
diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
index c908bb4d8ff..3dfafda4f95 100644
--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@ -511,9 +511,9 @@ try_again:
 		     zend_string_equals(orig->host, phpurl->host) &&
 		     orig->port == phpurl->port))) {
 		} else {
+			ZVAL_NULL(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 			php_stream_close(stream);
 			convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr));
-			convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 			convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
 			stream = NULL;
 			use_proxy = 0;
@@ -522,9 +522,9 @@ try_again:
 
 	/* Check if keep-alive connection is still opened */
 	if (stream != NULL && php_stream_eof(stream)) {
+		ZVAL_NULL(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 		php_stream_close(stream);
 		convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr));
-		convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 		convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
 		stream = NULL;
 		use_proxy = 0;
@@ -533,9 +533,7 @@ try_again:
 	if (!stream) {
 		stream = http_connect(this_ptr, phpurl, use_ssl, context, &use_proxy);
 		if (stream) {
-			php_stream_auto_cleanup(stream);
-			ZVAL_RES(Z_CLIENT_HTTPSOCKET_P(this_ptr), stream->res);
-			GC_ADDREF(stream->res);
+			php_stream_to_zval(stream, Z_CLIENT_HTTPSOCKET_P(this_ptr));
 			ZVAL_LONG(Z_CLIENT_USE_PROXY_P(this_ptr), use_proxy);
 		} else {
 			php_url_free(phpurl);
@@ -555,7 +553,6 @@ try_again:
 		zval *cookies, *login, *password;
 		zend_resource *ret = zend_register_resource(phpurl, le_url);
 		ZVAL_RES(Z_CLIENT_HTTPURL_P(this_ptr), ret);
-		GC_ADDREF(ret);
 
 		if (context &&
 		    (tmp = php_stream_context_get_option(context, "http", "protocol_version")) != NULL &&
@@ -683,9 +680,9 @@ try_again:
 
 				if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) {
 					ZEND_ASSERT(EG(exception));
+					ZVAL_NULL(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 					php_stream_close(stream);
 					convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr));
-					convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 					convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
 					smart_str_free(&soap_headers_z);
 					smart_str_free(&soap_headers);
@@ -901,9 +898,9 @@ try_again:
 			if (request != buf) {
 				zend_string_release_ex(request, 0);
 			}
+			ZVAL_NULL(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 			php_stream_close(stream);
 			convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr));
-			convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 			convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
 			add_soap_fault(this_ptr, "HTTP", "Failed Sending HTTP SOAP request", NULL, NULL);
 			smart_str_free(&soap_headers_z);
@@ -919,8 +916,8 @@ try_again:
 	}
 
 	if (!return_value) {
+		ZVAL_NULL(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 		php_stream_close(stream);
-		convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 		convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
 		smart_str_free(&soap_headers_z);
 		efree(http_msg);
@@ -933,8 +930,8 @@ try_again:
 			if (request != buf) {
 				zend_string_release_ex(request, 0);
 			}
+			ZVAL_NULL(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 			php_stream_close(stream);
-			convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 			convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
 			add_soap_fault(this_ptr, "HTTP", "Error Fetching http headers", NULL, NULL);
 			smart_str_free(&soap_headers_z);
@@ -1102,9 +1099,9 @@ try_again:
 		if (request != buf) {
 			zend_string_release_ex(request, 0);
 		}
+		ZVAL_NULL(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 		php_stream_close(stream);
 		zend_string_release_ex(http_headers, 0);
-		convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 		convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
 		add_soap_fault(this_ptr, "HTTP", "Error Fetching http body, No Content-Length, connection closed or chunked data", NULL, NULL);
 		if (http_msg) {
@@ -1119,8 +1116,8 @@ try_again:
 	}
 
 	if (http_close) {
+		ZVAL_NULL(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 		php_stream_close(stream);
-		convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr));
 		convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr));
 		stream = NULL;
 	}
diff --git a/ext/soap/tests/bugs/gh18990.phpt b/ext/soap/tests/bugs/gh18990.phpt
new file mode 100644
index 00000000000..30dbc0fe8b7
--- /dev/null
+++ b/ext/soap/tests/bugs/gh18990.phpt
@@ -0,0 +1,58 @@
+--TEST--
+GH-18990 (SOAP HTTP socket not closing on object destruction)
+--INI--
+soap.wsdl_cache_enabled=0
+--EXTENSIONS--
+soap
+--SKIPIF--
+<?php
+require __DIR__.'/../../../standard/tests/http/server.inc';
+http_server_skipif();
+--FILE--
+<?php
+require __DIR__.'/../../../standard/tests/http/server.inc';
+
+$wsdl = file_get_contents(__DIR__.'/../server030.wsdl');
+
+$soap = <<<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://testuri.org" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:getItemsResponse><getItemsReturn SOAP-ENC:arrayType="ns1:Item[10]" xsi:type="ns1:ItemArray"><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text0</text></item><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text1</text></item><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text2</text></item><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text3</text></item><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text4</text></item><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text5</text></item><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text6</text></item><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text7</text></item><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text8</text></item><item xsi:type="ns1:Item"><text xsi:type="xsd:string">text9</text></item></getItemsReturn></ns1:getItemsResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
+EOF;
+
+$responses = [
+    "data://text/plain,HTTP/1.1 200 OK\r\n".
+    "Content-Type: text/xml;charset=utf-8\r\n".
+    "Connection: Keep-Alive\r\n".
+    "Content-Length: ".strlen($wsdl)."\r\n".
+    "\r\n".
+    $wsdl,
+
+    "data://text/plain,HTTP/1.1 200 OK\r\n".
+    "Content-Type: text/xml;charset=utf-8\r\n".
+    "Connection: Keep-Alive\r\n".
+    "Content-Length: ".strlen($soap)."\r\n".
+    "\r\n".
+    $soap,
+];
+
+['pid' => $pid, 'uri' => $uri] = http_server($responses);
+
+$options = [
+    'trace' => false,
+    'location' => $uri,
+];
+
+$cnt = count(get_resources());
+
+$client = new SoapClient($uri, $options);
+
+var_dump(count($client->getItems()));
+
+http_server_kill($pid);
+
+unset($client);
+var_dump(count(get_resources()) - $cnt);
+?>
+--EXPECT--
+int(10)
+int(0)