From f9f841ac9b6321d33233ce1918ec165c6d247ea6 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Mon, 22 Sep 2025 19:02:46 +0100
Subject: [PATCH 1/2] Fix GH-19922: gzopen() double free

---
 main/streams/streams.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/main/streams/streams.c b/main/streams/streams.c
index 7a1b521108257..6dc073cd0baa3 100644
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2219,7 +2219,6 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 	int persistent = options & STREAM_OPEN_PERSISTENT;
 	zend_string *path_str = NULL;
 	zend_string *resolved_path = NULL;
-	char *copy_of_path = NULL;
 
 	if (opened_path) {
 		if (options & STREAM_OPEN_FOR_ZEND_STREAM) {
@@ -2296,8 +2295,7 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 		if (stream->orig_path) {
 			pefree(stream->orig_path, persistent);
 		}
-		copy_of_path = pestrdup(path, persistent);
-		stream->orig_path = copy_of_path;
+		stream->orig_path = pestrdup(path, persistent);
 #if ZEND_DEBUG
 		stream->open_filename = __zend_orig_filename ? __zend_orig_filename : __zend_filename;
 		stream->open_lineno = __zend_orig_lineno ? __zend_orig_lineno : __zend_lineno;
@@ -2356,11 +2354,6 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod
 		}
 	}
 	php_stream_tidy_wrapper_error_log(wrapper);
-#if ZEND_DEBUG
-	if (stream == NULL && copy_of_path != NULL) {
-		pefree(copy_of_path, persistent);
-	}
-#endif
 	if (resolved_path) {
 		zend_string_release_ex(resolved_path, 0);
 	}

From 71fc9542ed28dd010acf56296c1b66073d8054d0 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Mon, 22 Sep 2025 20:16:03 +0100
Subject: [PATCH 2/2] add test

---
 ext/zlib/tests/gh19922.phpt | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 ext/zlib/tests/gh19922.phpt

diff --git a/ext/zlib/tests/gh19922.phpt b/ext/zlib/tests/gh19922.phpt
new file mode 100644
index 0000000000000..3da53442f8bba
--- /dev/null
+++ b/ext/zlib/tests/gh19922.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GH-19922 (gzopen double free on debug build and unseekable stream)
+--EXTENSIONS--
+zlib
+--SKIPIF--
+<?php
+if (getenv("USE_ZEND_ALLOC") !== "0") die("skip Zend MM enabled");
+?>
+--FILE--
+<?php
+var_dump(gzopen("php://output", 14));
+?>
+--EXPECTF--
+
+Warning: gzopen(php://output): could not make seekable - php://output in %s on line %d
+bool(false)