From 11ce662101fedc9b4617672963ce5e31a7ec0309 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Mon, 29 Sep 2025 22:36:15 +0200
Subject: [PATCH 1/7] lexbor: Cherry pick "Core: Reset length in
 lexbor_str_destroy()"

see lexbor/lexbor@1bc9944a19e837a38f5e47462d3e5abf2caa9387

Fixes php/php-src#19979
---
 NEWS                         |  5 ++++-
 ext/lexbor/lexbor/core/str.c |  1 +
 ext/uri/tests/gh19979.phpt   | 28 ++++++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 ext/uri/tests/gh19979.phpt

diff --git a/NEWS b/NEWS
index a6749b8ed404..51c3a3df7ef8 100644
--- a/NEWS
+++ b/NEWS
@@ -6,7 +6,10 @@ PHP                                                                        NEWS
   . Fixed segfault in function JIT due to NAN to bool warning. (Girgias)
 
 - URI:
-  . Fixed Uri\WhatWg\Url::withPort() when an invalid value is passed. (timwolla)
+  . Fixed Uri\WhatWg\Url::withPort() when an invalid value is passed.
+    (timwolla)
+  . Fixed Uri\WhatWg\Url::parse() when resolving a relative URL
+    against a base URL with query or fragment. (timwolla)
 
 - SOAP:
   . Fixed bug GH-19773 (SIGSEGV due to uninitialized soap_globals->lang_en).
diff --git a/ext/lexbor/lexbor/core/str.c b/ext/lexbor/lexbor/core/str.c
index d11a08614dd4..bf8fc547d88d 100644
--- a/ext/lexbor/lexbor/core/str.c
+++ b/ext/lexbor/lexbor/core/str.c
@@ -80,6 +80,7 @@ lexbor_str_destroy(lexbor_str_t *str, lexbor_mraw_t *mraw, bool destroy_obj)
     }
 
     if (str->data != NULL) {
+        lexbor_str_clean(str);
         str->data = lexbor_mraw_free(mraw, str->data);
     }
 
diff --git a/ext/uri/tests/gh19979.phpt b/ext/uri/tests/gh19979.phpt
new file mode 100644
index 000000000000..982dfb935943
--- /dev/null
+++ b/ext/uri/tests/gh19979.phpt
@@ -0,0 +1,28 @@
+--TEST--
+GH-19979: Zend/zend_string.h:191:24: runtime error: null pointer passed as argument 2, which is declared to never be null
+--FILE--
+<?php
+
+$baseUrl = \Uri\WhatWg\Url::parse('https://example.com/path?query');
+var_dump(\Uri\WhatWg\Url::parse('relative', $baseUrl));
+
+?>
+--EXPECTF--
+object(Uri\WhatWg\Url)#%d (8) {
+  ["scheme"]=>
+  string(5) "https"
+  ["username"]=>
+  NULL
+  ["password"]=>
+  NULL
+  ["host"]=>
+  string(11) "example.com"
+  ["port"]=>
+  NULL
+  ["path"]=>
+  string(9) "/relative"
+  ["query"]=>
+  NULL
+  ["fragment"]=>
+  NULL
+}

From c997212dbfa53947650304f2a86233325c6c66bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Mon, 29 Sep 2025 22:44:39 +0200
Subject: [PATCH 2/7] NEWS: Fix section order

---
 NEWS | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 51c3a3df7ef8..c21d7801b3ff 100644
--- a/NEWS
+++ b/NEWS
@@ -5,16 +5,16 @@ PHP                                                                        NEWS
 - Opcache
   . Fixed segfault in function JIT due to NAN to bool warning. (Girgias)
 
+- SOAP:
+  . Fixed bug GH-19773 (SIGSEGV due to uninitialized soap_globals->lang_en).
+    (nielsdos, KaseyJenkins)
+
 - URI:
   . Fixed Uri\WhatWg\Url::withPort() when an invalid value is passed.
     (timwolla)
   . Fixed Uri\WhatWg\Url::parse() when resolving a relative URL
     against a base URL with query or fragment. (timwolla)
 
-- SOAP:
-  . Fixed bug GH-19773 (SIGSEGV due to uninitialized soap_globals->lang_en).
-    (nielsdos, KaseyJenkins)
-
 25 Sep 2025, PHP 8.5.0RC1
 
 - Core:

From 3ee56f68edb2d1c2a3dc3713d499af42f37b00ad Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Tue, 23 Sep 2025 19:02:14 +0100
Subject: [PATCH 3/7] Fix GH-19932:
 Zip::setEncryptionName()/setEncryptionIndex() memory leak.

On successive usage, the password is copied as much but the older
address is never freed. Thus, we are hinting a password reset to address
it.

close GH-19936
---
 NEWS                       |  2 ++
 ext/zip/php_zip.c          | 10 ++++++++++
 ext/zip/tests/gh19932.phpt | 25 +++++++++++++++++++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 ext/zip/tests/gh19932.phpt

diff --git a/NEWS b/NEWS
index 3955fab9ed22..26860c58ee94 100644
--- a/NEWS
+++ b/NEWS
@@ -43,6 +43,8 @@ PHP                                                                        NEWS
 
 - Zip:
   . Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). (nielsdos)
+  . Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()).
+    (David Carlier)
 
 25 Sep 2025, PHP 8.3.26
 
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index 3613fb0f7ca7..552d3a7571de 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -2380,6 +2380,11 @@ PHP_METHOD(ZipArchive, setEncryptionName)
 		RETURN_FALSE;
 	}
 
+	if (UNEXPECTED(zip_file_set_encryption(intern, idx, ZIP_EM_NONE, NULL) < 0)) {
+		php_error_docref(NULL, E_WARNING, "password reset failed");
+		RETURN_FALSE;
+	}
+
 	if (zip_file_set_encryption(intern, idx, (zip_uint16_t)method, password)) {
 		RETURN_FALSE;
 	}
@@ -2403,6 +2408,11 @@ PHP_METHOD(ZipArchive, setEncryptionIndex)
 
 	ZIP_FROM_OBJECT(intern, self);
 
+	if (UNEXPECTED(zip_file_set_encryption(intern, index, ZIP_EM_NONE, NULL) < 0)) {
+		php_error_docref(NULL, E_WARNING, "password reset failed");
+		RETURN_FALSE;
+	}
+
 	if (zip_file_set_encryption(intern, index, (zip_uint16_t)method, password)) {
 		RETURN_FALSE;
 	}
diff --git a/ext/zip/tests/gh19932.phpt b/ext/zip/tests/gh19932.phpt
new file mode 100644
index 000000000000..760fa1c9e766
--- /dev/null
+++ b/ext/zip/tests/gh19932.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-19932 (ZipArchive::setEncryptionName()/setEncryptionIndex() memory leak)
+--EXTENSIONS--
+zip
+--SKIPIF--
+<?php if (!method_exists('ZipArchive', 'setEncryptionName')) die('skip encryption not supported'); ?>
+--FILE--
+<?php
+$zip = new ZipArchive();
+$zip->open(__DIR__ . "/gh19932.zip", ZipArchive::CREATE);
+$zip->addFromString("test.txt", "test");
+$zip->setEncryptionName("test.txt", ZipArchive::EM_AES_256, "password");
+$zip->setEncryptionName("test.txt", ZipArchive::EM_AES_256, "password");
+$zip->setEncryptionIndex("0", ZipArchive::EM_AES_256, "password");
+$zip->setEncryptionIndex("0", ZipArchive::EM_AES_256, "password");
+$zip->close();
+echo "OK";
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . "/gh19932.zip");
+?>
+--EXPECT--
+OK
+

From 93bac8cb1a7230ac9d34a7cb8f392aeaa621723d Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Mon, 22 Sep 2025 19:02:46 +0100
Subject: [PATCH 4/7] Fix GH-19922: gzopen() double free

close GH-19924
---
 NEWS                        |  3 +++
 ext/zlib/tests/gh19922.phpt | 12 ++++++++++++
 main/streams/streams.c      |  9 +--------
 3 files changed, 16 insertions(+), 8 deletions(-)
 create mode 100644 ext/zlib/tests/gh19922.phpt

diff --git a/NEWS b/NEWS
index 26860c58ee94..a7f5149c5e21 100644
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()).
     (David Carlier)
 
+- Zlib:
+  . Fixed bug GH-19922 (Double free on gzopen). (David Carlier)
+
 25 Sep 2025, PHP 8.3.26
 
 - Core:
diff --git a/ext/zlib/tests/gh19922.phpt b/ext/zlib/tests/gh19922.phpt
new file mode 100644
index 000000000000..71644512e665
--- /dev/null
+++ b/ext/zlib/tests/gh19922.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-19922 (gzopen double free on debug build and unseekable stream)
+--EXTENSIONS--
+zlib
+--FILE--
+<?php
+var_dump(gzopen("php://output", 14));
+?>
+--EXPECTF--
+
+Warning: gzopen(php://output): could not make seekable - php://output in %s on line %d
+bool(false)
diff --git a/main/streams/streams.c b/main/streams/streams.c
index 7a1b52110825..6dc073cd0baa 100644
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2219,7 +2219,6 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 	int persistent = options & STREAM_OPEN_PERSISTENT;
 	zend_string *path_str = NULL;
 	zend_string *resolved_path = NULL;
-	char *copy_of_path = NULL;
 
 	if (opened_path) {
 		if (options & STREAM_OPEN_FOR_ZEND_STREAM) {
@@ -2296,8 +2295,7 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 		if (stream->orig_path) {
 			pefree(stream->orig_path, persistent);
 		}
-		copy_of_path = pestrdup(path, persistent);
-		stream->orig_path = copy_of_path;
+		stream->orig_path = pestrdup(path, persistent);
 #if ZEND_DEBUG
 		stream->open_filename = __zend_orig_filename ? __zend_orig_filename : __zend_filename;
 		stream->open_lineno = __zend_orig_lineno ? __zend_orig_lineno : __zend_lineno;
@@ -2356,11 +2354,6 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 		}
 	}
 	php_stream_tidy_wrapper_error_log(wrapper);
-#if ZEND_DEBUG
-	if (stream == NULL && copy_of_path != NULL) {
-		pefree(copy_of_path, persistent);
-	}
-#endif
 	if (resolved_path) {
 		zend_string_release_ex(resolved_path, 0);
 	}

From e029f8f45b6d3f1a468d5e8d476e99c01fffdada Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Thu, 25 Sep 2025 19:49:38 +0100
Subject: [PATCH 5/7] Fix GH-19955: imagefttext() memory leak

close GH-19968
---
 NEWS                      |  3 +++
 ext/gd/libgd/gdkanji.c    |  2 ++
 ext/gd/tests/gh19955.phpt | 15 +++++++++++++++
 3 files changed, 20 insertions(+)
 create mode 100644 ext/gd/tests/gh19955.phpt

diff --git a/NEWS b/NEWS
index a7f5149c5e21..58d9ebc69ad0 100644
--- a/NEWS
+++ b/NEWS
@@ -27,6 +27,9 @@ PHP                                                                        NEWS
 - DBA:
   . Fixed GH-19885 (dba_fetch() overflow on skip argument). (David Carlier)
 
+- GD:
+  . FIxed GH-19955 (imagefttext() memory leak). (David Carlier)
+
 - SimpleXML:
   . Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)).
     (nielsdos)
diff --git a/ext/gd/libgd/gdkanji.c b/ext/gd/libgd/gdkanji.c
index 21bc2280982a..ef769f89badd 100644
--- a/ext/gd/libgd/gdkanji.c
+++ b/ext/gd/libgd/gdkanji.c
@@ -368,6 +368,8 @@ do_convert (unsigned char *to, unsigned char *from, const char *code)
       else
 	error ("something happen");
       strcpy ((char *) to, (const char *) from);
+      if (iconv_close (cd) != 0)
+      	error ("iconv_close() error");
       return;
     }
 
diff --git a/ext/gd/tests/gh19955.phpt b/ext/gd/tests/gh19955.phpt
new file mode 100644
index 000000000000..a4b58e403cf4
--- /dev/null
+++ b/ext/gd/tests/gh19955.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-19955: (imagefttext() memory leak)
+--EXTENSIONS--
+gd
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+ini_set('error_reporting', E_ALL&~E_WARNING);
+$im = imagecreate(64, 32);
+imagefttext(imagecreate(8, 8), 0, 0, 0, 0, 255, __DIR__ . "/Tuffy.ttf", 'Ж');
+echo "OK"
+?>
+--EXPECT--
+OK

From 16a8591f281860eb3d08c8ac8fcc79d791608603 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Fri, 26 Sep 2025 14:26:16 +0200
Subject: [PATCH 6/7] Fix fatal error during sccp shift eval

Avoid returning early in this function, as other checks might still be needed to
verify whether the given function can procude an error.

Fixes oss-fuzz #447521098
Closes GH-19972
---
 NEWS                               |  3 +++
 Zend/tests/oss_fuzz_447521098.phpt | 13 +++++++++++++
 Zend/zend_compile.c                |  8 ++++++--
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/oss_fuzz_447521098.phpt

diff --git a/NEWS b/NEWS
index c21d7801b3ff..c16f62d8ba76 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.5.0RC2
 
+- Core:
+  . Fix OSS-Fuzz #447521098 (Fatal error during sccp shift eval). (ilutov)
+
 - Opcache
   . Fixed segfault in function JIT due to NAN to bool warning. (Girgias)
 
diff --git a/Zend/tests/oss_fuzz_447521098.phpt b/Zend/tests/oss_fuzz_447521098.phpt
new file mode 100644
index 000000000000..09967ce0ae3a
--- /dev/null
+++ b/Zend/tests/oss_fuzz_447521098.phpt
@@ -0,0 +1,13 @@
+--TEST--
+OSS-Fuzz #447521098: Fatal error during sccp shift eval
+--FILE--
+<?php
+function test() {
+    $x = 0;
+    $y = -1;
+    $x >> $y;
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 2eee6a01caf7..d8c13b6ff6c3 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -9998,7 +9998,9 @@ ZEND_API bool zend_binary_op_produces_error(uint32_t opcode, const zval *op1, co
 	/* Operation which cast float/float-strings to integers might produce incompatible float to int errors */
 	if (opcode == ZEND_SL || opcode == ZEND_SR || opcode == ZEND_BW_OR
 			|| opcode == ZEND_BW_AND || opcode == ZEND_BW_XOR) {
-		return !zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2);
+		if (!zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2)) {
+			return 1;
+		}
 	}
 
 	if (opcode == ZEND_DIV && zval_get_double(op2) == 0.0) {
@@ -10009,7 +10011,9 @@ ZEND_API bool zend_binary_op_produces_error(uint32_t opcode, const zval *op1, co
 	/* Mod is an operation that will cast float/float-strings to integers which might
 	   produce float to int incompatible errors, and also cannot be divided by 0 */
 	if (opcode == ZEND_MOD) {
-		return  !zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2) || zval_get_long(op2) == 0;
+		if (!zend_is_op_long_compatible(op1) || !zend_is_op_long_compatible(op2) || zval_get_long(op2) == 0) {
+			return 1;
+		}
 	}
 
 	if ((opcode == ZEND_POW) && zval_get_double(op1) == 0 && zval_get_double(op2) < 0) {

From 836a556f73700365d4a6f52f977b2fc7ea4ea720 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Tue, 30 Sep 2025 01:18:56 +0200
Subject: [PATCH 7/7] [skip ci] Fix NEWS formatting

---
 NEWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index c16f62d8ba76..4c7706784016 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,7 @@ PHP                                                                        NEWS
 - Core:
   . Fix OSS-Fuzz #447521098 (Fatal error during sccp shift eval). (ilutov)
 
-- Opcache
+- Opcache:
   . Fixed segfault in function JIT due to NAN to bool warning. (Girgias)
 
 - SOAP: