Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure
2026-03-24 00:02:20 +01:00 · 2025-06-03 23:46:21 +02:00
parent 81593cfc6a 08a9579883
commit 87ff5479fc
3 changed files with 27 additions and 0 deletions
--- a/4
+++ b/4
@@ -26,6 +26,10 @@ PHP                                                                        NEWS
  . Fix memory leak in intl_datetime_decompose() on failure. (nielsdos)
  . Fix memory leak in locale lookup on failure. (nielsdos)

+- OpenSSL:
+  . Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
+    (nielsdos)
+
 - Phar:
  . Add missing filter cleanups on phar failure. (nielsdos)
  . Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). (nielsdos)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -2443,6 +2443,7 @@ static X509_STORE *php_openssl_setup_verify(zval *calist, uint32_t arg_num)
 		ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(calist), item) {
 			zend_string *str = zval_try_get_string(item);
 			if (UNEXPECTED(!str)) {
+				X509_STORE_free(store);
 				return NULL;
 			}

--- a/ext/openssl/tests/memory_leak_x509_store.phpt
+++ b/ext/openssl/tests/memory_leak_x509_store.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Memory leak of X509_STORE in php_openssl_setup_verify() on failure
+--EXTENSIONS--
+openssl
+--FILE--
+<?php
+
+class MyStringable{
+    public function __toString(): string {
+        throw new Error('stop');
+    }
+}
+
+try {
+    openssl_pkcs7_verify("does not matter", 0, "does not matter", [new MyStringable]);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+stop