From 5a329240c27bc700e17d649096f806c37623f1e3 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 24 Dec 2024 14:07:53 +0100
Subject: [PATCH 1/3] Fix GH-17223: Memory leak in libxml encoding handling

This was a bug in both libxml and PHP.
We follow up with the same change as done in GNOME/libxml@b3871dd138.

Changing away from `xmlOutputBufferCreateFilenameDefault` is not
possible yet because this is a stable branch and would break BC.
---
 ext/dom/tests/gh17223.phpt | 11 +++++++++++
 ext/libxml/libxml.c        | 11 ++++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 ext/dom/tests/gh17223.phpt

diff --git a/ext/dom/tests/gh17223.phpt b/ext/dom/tests/gh17223.phpt
new file mode 100644
index 0000000000000..faacbf929b09b
--- /dev/null
+++ b/ext/dom/tests/gh17223.phpt
@@ -0,0 +1,11 @@
+--TEST--
+GH-17223 (Memory leak in libxml encoding handling)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$doc = new DOMDocument(str_repeat(chr(223), 65537) . str_repeat(chr(8), 17) . str_repeat(chr(133), 257), str_repeat(chr(62), 257));
+$doc->save("%00");
+?>
+--EXPECTF--
+Warning: DOMDocument::save(): URI must not contain percent-encoded NUL bytes in %s on line %d
diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
index 0c252e5e455aa..6590f73f9edd6 100644
--- a/ext/libxml/libxml.c
+++ b/ext/libxml/libxml.c
@@ -590,11 +590,11 @@ php_libxml_output_buffer_create_filename(const char *URI,
 	char *unescaped = NULL;
 
 	if (URI == NULL)
-		return(NULL);
+		goto err;
 
 	if (strstr(URI, "%00")) {
 		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
-		return NULL;
+		goto err;
 	}
 
 	puri = xmlParseURI(URI);
@@ -615,7 +615,7 @@ php_libxml_output_buffer_create_filename(const char *URI,
 	}
 
 	if (context == NULL) {
-		return(NULL);
+		goto err;
 	}
 
 	/* Allocate the Output buffer front-end. */
@@ -627,6 +627,11 @@ php_libxml_output_buffer_create_filename(const char *URI,
 	}
 
 	return(ret);
+
+err:
+	/* Similarly to __xmlOutputBufferCreateFilename we should also close the encoder on failure. */
+	xmlCharEncCloseFunc(encoder);
+	return NULL;
 }
 
 static void _php_libxml_free_error(void *ptr)

From 0a1c515cae390017b766a8b7459f7727a77c4146 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 25 Dec 2024 16:28:41 +0100
Subject: [PATCH 2/3] Make test portable

---
 ext/dom/tests/gh17223.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/dom/tests/gh17223.phpt b/ext/dom/tests/gh17223.phpt
index faacbf929b09b..939a5fd5945f8 100644
--- a/ext/dom/tests/gh17223.phpt
+++ b/ext/dom/tests/gh17223.phpt
@@ -4,7 +4,7 @@ GH-17223 (Memory leak in libxml encoding handling)
 dom
 --FILE--
 <?php
-$doc = new DOMDocument(str_repeat(chr(223), 65537) . str_repeat(chr(8), 17) . str_repeat(chr(133), 257), str_repeat(chr(62), 257));
+$doc = new DOMDocument("1.0", "Shift-JIS");
 $doc->save("%00");
 ?>
 --EXPECTF--

From 96a3e7e887fcdb77666c3b3404d4ef7ea9afc09d Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 25 Dec 2024 16:59:37 +0100
Subject: [PATCH 3/3] Even more portable I hope

---
 ext/dom/tests/gh17223.phpt | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ext/dom/tests/gh17223.phpt b/ext/dom/tests/gh17223.phpt
index 939a5fd5945f8..6a0f274c2f64d 100644
--- a/ext/dom/tests/gh17223.phpt
+++ b/ext/dom/tests/gh17223.phpt
@@ -5,7 +5,8 @@ dom
 --FILE--
 <?php
 $doc = new DOMDocument("1.0", "Shift-JIS");
-$doc->save("%00");
+@$doc->save("%00");
+echo "Done\n";
 ?>
---EXPECTF--
-Warning: DOMDocument::save(): URI must not contain percent-encoded NUL bytes in %s on line %d
+--EXPECT--
+Done