From ab508c98b382bfe1627e3436997e7ac59f95fd46 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 5 Feb 2024 22:48:00 +0100
Subject: [PATCH] Fix unlikely memory leak in case of namespace removal with
 extremely deep trees

---
 NEWS              | 6 ++++++
 ext/dom/element.c | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index f70a3adcd5b..4495a951f47 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - Curl:
   . Fix failing tests due to string changes in libcurl 8.6.0. (Ayesh)
 
+- DOM:
+  . Fix unlikely memory leak in case of namespace removal with extremely deep
+    trees. (nielsdos)
+
 - FPM:
   . Fixed bug #75712 (getenv in php-fpm should not read $_ENV, $_SERVER).
     (Jakub Zelenka)
@@ -15,6 +19,8 @@ PHP                                                                        NEWS
   . Fixed array key as hash to string (case insensitive) comparison typo
     for the second operand buffer size (albeit unused for now). (A. Slepykh)
 
+5 Feb 2024, PHP 8.3.3
+
 - Core:
   . Fixed timer leak in zend-max-execution-timers builds. (withinboredom)
   . Fixed bug GH-12349 (linking failure on ARM with mold). (Jan Palus)
diff --git a/ext/dom/element.c b/ext/dom/element.c
index f87fbcccfef..46f1100a767 100644
--- a/ext/dom/element.c
+++ b/ext/dom/element.c
@@ -461,7 +461,7 @@ static void dom_deep_ns_redef(xmlNodePtr node, xmlNsPtr ns_to_redefine)
 			if (worklist_size == worklist_capacity) {
 				if (UNEXPECTED(worklist_capacity >= SIZE_MAX / 3 * 2 / sizeof(dom_deep_ns_redef_item))) {
 					/* Shouldn't be possible to hit, but checked for safety anyway */
-					return;
+					goto out;
 				}
 				worklist_capacity = worklist_capacity * 3 / 2;
 				worklist = erealloc(worklist, sizeof(dom_deep_ns_redef_item) * worklist_capacity);
@@ -472,6 +472,7 @@ static void dom_deep_ns_redef(xmlNodePtr node, xmlNsPtr ns_to_redefine)
 		}
 	}
 
+out:
 	efree(worklist);
 }