From 2f162214e8368266d546e64b508c3ddc12dfa717 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 6 Sep 2025 22:22:55 +0200
Subject: [PATCH] Fix memory leak in phar tar temporary file error handling
 code

Closes GH-19740.
---
 NEWS           | 1 +
 ext/phar/tar.c | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index 36b2f9b9fc9da..72c9157450b1b 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,7 @@ PHP                                                                        NEWS
 
 - Phar:
   . Fixed memory leaks when verifying OpenSSL signature. (Girgias)
+  . Fix memory leak in phar tar temporary file error handling code. (nielsdos)
 
 - Standard:
   . Fixed bug GH-16649 (UAF during array_splice). (alexandre-daubois)
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 38bd52c86093b..687ca34c173c9 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -1211,6 +1211,7 @@ int phar_tar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
 	}
 
 	zend_hash_apply_with_argument(&phar->manifest, phar_tar_writeheaders, (void *) &pass);
+	/* TODO: memory leak and incorrect continuation if phar_tar_writeheaders fails? */
 
 	/* add signature for executable tars or tars explicitly set with setSignatureAlgorithm */
 	if (!phar->is_data || phar->sig_flags) {
@@ -1234,6 +1235,12 @@ int phar_tar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
 		entry.fp = php_stream_fopen_tmpfile();
 		if (entry.fp == NULL) {
 			spprintf(error, 0, "phar error: unable to create temporary file");
+
+			efree(signature);
+			if (closeoldfile) {
+				php_stream_close(oldfile);
+			}
+			php_stream_close(newfile);
 			return EOF;
 		}
 #ifdef WORDS_BIGENDIAN