From a3642242f109c1b5cabcaa6ca0f3afb328a8adea Mon Sep 17 00:00:00 2001
From: Jarne Clauw <67628242+JarneClauw@users.noreply.github.com>
Date: Mon, 13 Apr 2026 22:03:43 +0200
Subject: [PATCH 1/2] Fixing memory leak

---
 ext/openssl/openssl.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 8fc830b756d7c..7f584828d2093 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -2898,6 +2898,7 @@ PHP_FUNCTION(openssl_pkcs12_read)
 			}
 
 			sk_X509_free(ca);
+			ca = NULL;
 			add_assoc_zval(zout, "extracerts", &zextracerts);
 		}
 
@@ -2915,6 +2916,15 @@ PHP_FUNCTION(openssl_pkcs12_read)
 	if (p12) {
 		PKCS12_free(p12);
 	}
+	int cert_num = sk_X509_num(ca);
+	if (ca && cert_num) {
+		for (i = 0; i < cert_num; i++) {
+			X509* aCA = sk_X509_pop(ca);
+			if (!aCA) break;
+			X509_free(aCA);
+		}
+		sk_X509_free(ca);
+	}
 }
 /* }}} */
 

From ca1b30a453613a70fa940ff6fcd0400ce0ee66cd Mon Sep 17 00:00:00 2001
From: Jarne Clauw <67628242+JarneClauw@users.noreply.github.com>
Date: Tue, 14 Apr 2026 13:37:54 +0200
Subject: [PATCH 2/2] Simplified cleanup and adding test

---
 ext/openssl/openssl.c                         | 11 +--------
 .../tests/openssl_pkcs12_read_array_init.phpt | 23 +++++++++++++++++++
 2 files changed, 24 insertions(+), 10 deletions(-)
 create mode 100644 ext/openssl/tests/openssl_pkcs12_read_array_init.phpt

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 7f584828d2093..ae8cec7933a22 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -2847,6 +2847,7 @@ PHP_FUNCTION(openssl_pkcs12_read)
 
 		zout = zend_try_array_init(zout);
 		if (!zout) {
+			sk_X509_pop_free(ca, X509_free);
 			goto cleanup;
 		}
 
@@ -2898,7 +2899,6 @@ PHP_FUNCTION(openssl_pkcs12_read)
 			}
 
 			sk_X509_free(ca);
-			ca = NULL;
 			add_assoc_zval(zout, "extracerts", &zextracerts);
 		}
 
@@ -2916,15 +2916,6 @@ PHP_FUNCTION(openssl_pkcs12_read)
 	if (p12) {
 		PKCS12_free(p12);
 	}
-	int cert_num = sk_X509_num(ca);
-	if (ca && cert_num) {
-		for (i = 0; i < cert_num; i++) {
-			X509* aCA = sk_X509_pop(ca);
-			if (!aCA) break;
-			X509_free(aCA);
-		}
-		sk_X509_free(ca);
-	}
 }
 /* }}} */
 
diff --git a/ext/openssl/tests/openssl_pkcs12_read_array_init.phpt b/ext/openssl/tests/openssl_pkcs12_read_array_init.phpt
new file mode 100644
index 0000000000000..b57cd32b686aa
--- /dev/null
+++ b/ext/openssl/tests/openssl_pkcs12_read_array_init.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Memory leak when array initialization in openssl_pkcs12_read() fails
+--EXTENSIONS--
+openssl
+--FILE--
+<?php
+$pfx = __DIR__ . DIRECTORY_SEPARATOR . "bug74022.pfx";
+$cert_store = file_get_contents($pfx);
+
+class Typed {
+    public string $foo = "bar";
+}
+
+$typed = new Typed;
+
+try {
+    openssl_pkcs12_read($cert_store, $typed->foo, "csos");
+} catch (TypeError $e) {
+    echo $e::class, ": ", $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+TypeError: Cannot assign array to reference held by property Typed::$foo of type string