From ebe5e2992454038797972706b48dbf0ef17a086f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Fri, 29 Aug 2025 01:07:42 +0200
Subject: [PATCH 1/3] uri: Fix double-free when assigning `$errors` by
 reference fails

`ZEND_TRY_ASSIGN_REF_ARR()` apparently consumes the to-be-assigned value even
when it fails.
---
 ext/uri/php_uri.c      |  1 -
 ext/uri/tests/057.phpt | 21 +++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ext/uri/tests/057.phpt

diff --git a/ext/uri/php_uri.c b/ext/uri/php_uri.c
index abdaa3eebe958..85124edc41af6 100644
--- a/ext/uri/php_uri.c
+++ b/ext/uri/php_uri.c
@@ -325,7 +325,6 @@ static zend_result pass_errors_by_ref_and_free(zval *errors_zv, zval *errors)
 
 	ZEND_TRY_ASSIGN_REF_ARR(errors_zv, Z_ARRVAL_P(errors));
 	if (EG(exception)) {
-		zval_ptr_dtor(errors);
 		return FAILURE;
 	}
 
diff --git a/ext/uri/tests/057.phpt b/ext/uri/tests/057.phpt
new file mode 100644
index 0000000000000..e2a109ccdacb9
--- /dev/null
+++ b/ext/uri/tests/057.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Test assigning errors by reference fails
+--EXTENSIONS--
+uri
+--FILE--
+<?php
+
+class Foo {
+	public string $x = '';
+}
+
+$f = new Foo();
+try {
+    Uri\WhatWg\Url::parse(" https://example.org ", errors: $f->x);
+} catch (Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), PHP_EOL;
+} 
+
+?>
+--EXPECT--
+TypeError: Cannot assign array to reference held by property Foo::$x of type string

From bcc5181d9f5406c0659b5237c8dda6847c40cd94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Fri, 29 Aug 2025 01:11:44 +0200
Subject: [PATCH 2/3] uri: Fix leak of parsed URI when assigning soft errors by
 reference fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is not reproducible, because the URI object will still be referenced by
Lexbor’s mraw instance and then cleanly destroyed at the end of the request.
---
 ext/uri/php_uri.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ext/uri/php_uri.c b/ext/uri/php_uri.c
index 85124edc41af6..8f7dd2078e8ae 100644
--- a/ext/uri/php_uri.c
+++ b/ext/uri/php_uri.c
@@ -359,6 +359,7 @@ ZEND_ATTRIBUTE_NONNULL_ARGS(1, 2) PHPAPI void php_uri_instantiate_uri(
 	}
 
 	if (pass_errors_by_ref_and_free(errors_zv, &errors) == FAILURE) {
+		uri_parser->free_uri(uri);
 		RETURN_THROWS();
 	}
 

From def4c5844c8eb174748b58992ec4389c44767e6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Fri, 29 Aug 2025 20:45:18 +0200
Subject: [PATCH 3/3] NEWS

---
 NEWS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/NEWS b/NEWS
index 84f7de878cd58..2a13afcba95ae 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ PHP                                                                        NEWS
   . Fixed memory management of Uri\WhatWg\Url objects. (timwolla)
   . Fixed memory management of the internal "parse_url" URI parser.
     (timwolla)
+  . Fixed double-free when assigning to $errors fails when using
+    the Uri\WhatWg\Url parser. (timwolla)
   . Clean up naming of internal API. (timwolla)
 
 28 Aug 2025, PHP 8.5.0beta2