From 2f798d99b74933c25aee8509dd44fdc8a8697f05 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 28 Sep 2021 15:55:24 +0200
Subject: [PATCH] Fix leak of invalid stream_read() return value

Fixes oss-fuzz 6225190686687232 (part of #38542).
---
 .../streams/stream_read_object_return.phpt    | 24 +++++++++++++++++++
 main/streams/userspace.c                      |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 ext/standard/tests/streams/stream_read_object_return.phpt

diff --git a/ext/standard/tests/streams/stream_read_object_return.phpt b/ext/standard/tests/streams/stream_read_object_return.phpt
new file mode 100644
index 00000000000..acb0363f404
--- /dev/null
+++ b/ext/standard/tests/streams/stream_read_object_return.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Returning an object from stream_read() is invalid, but should not leak
+--FILE--
+<?php
+class MyStream {
+    function stream_open() {
+        return true;
+    }
+    function stream_stat() {
+        return false;
+    }
+    function stream_read() {
+        return new stdClass;
+    }
+}
+stream_wrapper_register('mystream', MyStream::class);
+try {
+    var_dump(file_get_contents('mystream://'));
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Object of class stdClass could not be converted to string
diff --git a/main/streams/userspace.c b/main/streams/userspace.c
index 0e9059a99e5..271d0cdffbe 100644
--- a/main/streams/userspace.c
+++ b/main/streams/userspace.c
@@ -648,6 +648,7 @@ static ssize_t php_userstreamop_read(php_stream *stream, char *buf, size_t count
 	}
 
 	if (!try_convert_to_string(&retval)) {
+		zval_ptr_dtor(&retval);
 		return -1;
 	}