uri: Fix memory safety violations when assigning $errors by reference fails (#19628)

* uri: Fix double-free when assigning `$errors` by reference fails

`ZEND_TRY_ASSIGN_REF_ARR()` apparently consumes the to-be-assigned value even
when it fails.

* uri: Fix leak of parsed URI when assigning soft errors by reference fails

This is not reproducible, because the URI object will still be referenced by
Lexbor’s mraw instance and then cleanly destroyed at the end of the request.

* NEWS

NEWS

@@ -23,6 +23,8 @@ PHP                                                                        NEWS
   . Fixed memory management of Uri\WhatWg\Url objects. (timwolla)
   . Fixed memory management of the internal "parse_url" URI parser.
     (timwolla)
+  . Fixed double-free when assigning to $errors fails when using
+    the Uri\WhatWg\Url parser. (timwolla)
   . Clean up naming of internal API. (timwolla)
 
 28 Aug 2025, PHP 8.5.0beta2

ext/uri/php_uri.c

@@ -325,7 +325,6 @@ static zend_result pass_errors_by_ref_and_free(zval *errors_zv, zval *errors)
 
 	ZEND_TRY_ASSIGN_REF_ARR(errors_zv, Z_ARRVAL_P(errors));
 	if (EG(exception)) {
-		zval_ptr_dtor(errors);
 		return FAILURE;
 	}
 
@@ -360,6 +359,7 @@ ZEND_ATTRIBUTE_NONNULL_ARGS(1, 2) PHPAPI void php_uri_instantiate_uri(
 	}
 
 	if (pass_errors_by_ref_and_free(errors_zv, &errors) == FAILURE) {
+		uri_parser->free_uri(uri);
 		RETURN_THROWS();
 	}
 

ext/uri/tests/057.phpt

@@ -0,0 +1,21 @@
+--TEST--
+Test assigning errors by reference fails
+--EXTENSIONS--
+uri
+--FILE--
+<?php
+
+class Foo {
+	public string $x = '';
+}
+
+$f = new Foo();
+try {
+    Uri\WhatWg\Url::parse(" https://example.org ", errors: $f->x);
+} catch (Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), PHP_EOL;
+} 
+
+?>
+--EXPECT--
+TypeError: Cannot assign array to reference held by property Foo::$x of type string