From 1863f72f21402d991507637dad9380a437d9b1a3 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 5 Mar 2025 18:40:22 +0100
Subject: [PATCH] Fix memory leaks in array_any() / array_all()

The return value is overwritten, but if the key was not an interned
string we should destroy it.
---
 ext/standard/array.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 6bfc0dc9c0403..0c2de2a98a1d9 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -6628,7 +6628,8 @@ static zend_result php_array_find(const HashTable *array, zend_fcall_info fci, z
 		ZVAL_COPY(&args[0], operand);
 
 		zend_result result = zend_call_function(&fci, &fci_cache);
-		if (EXPECTED(result == SUCCESS)) {
+		ZEND_ASSERT(result == SUCCESS);
+		if (EXPECTED(!Z_ISUNDEF(retval))) {
 			int retval_true;
 
 			retval_true = zend_is_true(&retval);
@@ -6656,7 +6657,7 @@ static zend_result php_array_find(const HashTable *array, zend_fcall_info fci, z
 		zval_ptr_dtor(&args[0]);
 		zval_ptr_dtor(&args[1]);
 
-		if (UNEXPECTED(result != SUCCESS)) {
+		if (UNEXPECTED(Z_ISUNDEF(retval))) {
 			return FAILURE;
 		}
 	} ZEND_HASH_FOREACH_END();
@@ -6725,7 +6726,11 @@ PHP_FUNCTION(array_any)
 		RETURN_THROWS();
 	}
 
-	RETURN_BOOL(Z_TYPE_P(return_value) != IS_UNDEF);
+	bool retval = !Z_ISUNDEF_P(return_value);
+	if (Z_TYPE_P(return_value) == IS_STRING) {
+		zval_ptr_dtor_str(return_value);
+	}
+	RETURN_BOOL(retval);
 }
 /* }}} */
 
@@ -6745,7 +6750,11 @@ PHP_FUNCTION(array_all)
 		RETURN_THROWS();
 	}
 
-	RETURN_BOOL(Z_TYPE_P(return_value) == IS_UNDEF);
+	bool retval = Z_ISUNDEF_P(return_value);
+	if (Z_TYPE_P(return_value) == IS_STRING) {
+		zval_ptr_dtor_str(return_value);
+	}
+	RETURN_BOOL(retval);
 }
 /* }}} */