From 94678d99ceafd93ffc0dcfed5138f182e71e97d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Sat, 30 Aug 2025 21:21:57 +0200
Subject: [PATCH] uri: Fix memory safety violations when assigning `$errors` by
 reference fails (#19628)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* uri: Fix double-free when assigning `$errors` by reference fails

`ZEND_TRY_ASSIGN_REF_ARR()` apparently consumes the to-be-assigned value even
when it fails.

* uri: Fix leak of parsed URI when assigning soft errors by reference fails

This is not reproducible, because the URI object will still be referenced by
Lexbor’s mraw instance and then cleanly destroyed at the end of the request.

* NEWS
---
 NEWS                   |  2 ++
 ext/uri/php_uri.c      |  2 +-
 ext/uri/tests/057.phpt | 21 +++++++++++++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 ext/uri/tests/057.phpt

diff --git a/NEWS b/NEWS
index 35d5c34b6fc..bf80ab696b0 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,8 @@ PHP                                                                        NEWS
   . Fixed memory management of Uri\WhatWg\Url objects. (timwolla)
   . Fixed memory management of the internal "parse_url" URI parser.
     (timwolla)
+  . Fixed double-free when assigning to $errors fails when using
+    the Uri\WhatWg\Url parser. (timwolla)
   . Clean up naming of internal API. (timwolla)
 
 28 Aug 2025, PHP 8.5.0beta2
diff --git a/ext/uri/php_uri.c b/ext/uri/php_uri.c
index 0a1abd7de4e..8ef25c02017 100644
--- a/ext/uri/php_uri.c
+++ b/ext/uri/php_uri.c
@@ -325,7 +325,6 @@ static zend_result pass_errors_by_ref_and_free(zval *errors_zv, zval *errors)
 
 	ZEND_TRY_ASSIGN_REF_ARR(errors_zv, Z_ARRVAL_P(errors));
 	if (EG(exception)) {
-		zval_ptr_dtor(errors);
 		return FAILURE;
 	}
 
@@ -360,6 +359,7 @@ ZEND_ATTRIBUTE_NONNULL_ARGS(1, 2) PHPAPI void php_uri_instantiate_uri(
 	}
 
 	if (pass_errors_by_ref_and_free(errors_zv, &errors) == FAILURE) {
+		uri_parser->free_uri(uri);
 		RETURN_THROWS();
 	}
 
diff --git a/ext/uri/tests/057.phpt b/ext/uri/tests/057.phpt
new file mode 100644
index 00000000000..e2a109ccdac
--- /dev/null
+++ b/ext/uri/tests/057.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Test assigning errors by reference fails
+--EXTENSIONS--
+uri
+--FILE--
+<?php
+
+class Foo {
+	public string $x = '';
+}
+
+$f = new Foo();
+try {
+    Uri\WhatWg\Url::parse(" https://example.org ", errors: $f->x);
+} catch (Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), PHP_EOL;
+} 
+
+?>
+--EXPECT--
+TypeError: Cannot assign array to reference held by property Foo::$x of type string