From d0630e850b61df8283a763b19e26dbf4deb7dc38 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Thu, 4 Sep 2025 22:21:04 +0200
Subject: [PATCH] Avoid double conversion to string in
 php_userstreamop_readdir()

The string is converted twice for some reason.
This is pointless, and furthermore, this is observable in userspace code
when dealing with Stringable objects.

Closes GH-19713.
---
 NEWS                     | 1 +
 main/streams/userspace.c | 7 ++-----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/NEWS b/NEWS
index 9dcddfbd27f..2cda743be40 100644
--- a/NEWS
+++ b/NEWS
@@ -43,6 +43,7 @@ PHP                                                                        NEWS
 - Streams:
   . Fixed bug GH-14506 (Closing a userspace stream inside a userspace handler
     causes heap corruption). (nielsdos)
+  . Avoid double conversion to string in php_userstreamop_readdir(). (nielsdos)
 
 - URI:
   . Fixed memory management of Uri\WhatWg\Url objects. (timwolla)
diff --git a/main/streams/userspace.c b/main/streams/userspace.c
index 30a80cacaaa..338c63bbaa7 100644
--- a/main/streams/userspace.c
+++ b/main/streams/userspace.c
@@ -1349,14 +1349,11 @@ static ssize_t php_userstreamop_readdir(php_stream *stream, char *buf, size_t co
 	}
 	// TODO: Warn/TypeError for invalid returns?
 	if (Z_TYPE(retval) != IS_FALSE && Z_TYPE(retval) != IS_TRUE) {
-		zend_string *str = zval_try_get_string(&retval);
-		if (UNEXPECTED(str == NULL)) {
+		if (UNEXPECTED(!try_convert_to_string(&retval))) {
 			zval_ptr_dtor(&retval);
 			return -1;
 		}
-		convert_to_string(&retval);
-		PHP_STRLCPY(ent->d_name, ZSTR_VAL(str), sizeof(ent->d_name), ZSTR_LEN(str));
-		zend_string_release(str);
+		PHP_STRLCPY(ent->d_name, Z_STRVAL(retval), sizeof(ent->d_name), Z_STRLEN(retval));
 		ent->d_type = DT_UNKNOWN;
 
 		didread = sizeof(php_stream_dirent);