From f5a3a642c610eca5d53b5f0fa0c9d7c52e99d4eb Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Sat, 23 Aug 2025 14:25:42 +0100
Subject: [PATCH 1/2] ext/phar: Fix memory leaks when verifying OpenSSL
 signature (#19563)

---
 ext/phar/util.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ext/phar/util.c b/ext/phar/util.c
index 04efe89d8fc..416aa1dcd7b 100644
--- a/ext/phar/util.c
+++ b/ext/phar/util.c
@@ -1903,6 +1903,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
 
 			if (!EVP_SignInit(md_ctx, mdtype)) {
 				EVP_PKEY_free(key);
+				EVP_MD_CTX_free(md_ctx);
 				efree(sigbuf);
 				if (error) {
 					spprintf(error, 0, "unable to initialize openssl signature for phar \"%s\"", phar->fname);
@@ -1913,6 +1914,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
 			while ((sig_len = php_stream_read(fp, (char*)buf, sizeof(buf))) > 0) {
 				if (!EVP_SignUpdate(md_ctx, buf, sig_len)) {
 					EVP_PKEY_free(key);
+					EVP_MD_CTX_free(md_ctx);
 					efree(sigbuf);
 					if (error) {
 						spprintf(error, 0, "unable to update the openssl signature for phar \"%s\"", phar->fname);
@@ -1923,6 +1925,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
 
 			if (!EVP_SignFinal (md_ctx, sigbuf, &siglen, key)) {
 				EVP_PKEY_free(key);
+				EVP_MD_CTX_free(md_ctx);
 				efree(sigbuf);
 				if (error) {
 					spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname);
@@ -1932,7 +1935,7 @@ int phar_create_signature(phar_archive_data *phar, php_stream *fp, char **signat
 
 			sigbuf[siglen] = '\0';
 			EVP_PKEY_free(key);
-			EVP_MD_CTX_destroy(md_ctx);
+			EVP_MD_CTX_free(md_ctx);
 #else
 			size_t siglen;
 			sigbuf = NULL;

From e46f77c861148d90d26fd241269f7962a54fae41 Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Sat, 23 Aug 2025 15:27:01 +0200
Subject: [PATCH 2/2] Update NEWS for Phar memory leak fix

---
 NEWS | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/NEWS b/NEWS
index 80b84fe03a9..97cbb733ca7 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-19485 (potential use after free when using persistent pgsql
     connections). (Mark Karpeles)
 
+- Phar:
+  . Fixed memory leaks when verifying OpenSSL signature. (Girgias)
+
 - Standard:
   . Fixed bug GH-16649 (UAF during array_splice). (alexandre-daubois)