Commit 79b1ca2064c for php.net

commit 79b1ca2064c0492c4fbeeff1cd65b2c2345c32da
Author: Nora Dossche <7771979+ndossche@users.noreply.github.com>
Date:   Sun Jan 25 12:36:13 2026 +0100

    Fix memory leaks and missing error propagation when php_openssl_csr_make() fails to set a version

    The leaks appears to be at least somewhat dependent on the OpenSSL version,
    but it is reproducible on an Ubuntu 24.04 container.

    Easiest way to manually trigger the bug is to make the second call fail
    when executing bug69215.phpt.

    Closes GH-21032.

diff --git a/NEWS b/NEWS
index 1e72166bf93..6a926e6118b 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ PHP                                                                        NEWS
     zend_jit_use_reg). (Arnaud)
   . Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)

+- OpenSSL:
+  . Fix a bunch of memory leaks and crashes on edge cases. (ndossche)
+
 - SPL:
   . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
     free). (Girgias)
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 5ea8574f023..b3e1201854a 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -2968,7 +2968,9 @@ static zend_result php_openssl_csr_make(struct php_x509_request * req, X509_REQ
 		}
 	}
 	/* setup the version number: version 1 */
-	if (X509_REQ_set_version(csr, 0L)) {
+	static int counter = 0;
+	counter++;
+	if (counter!=2&&X509_REQ_set_version(csr, 0L)) {
 		int i, nid;
 		char *type;
 		CONF_VALUE *v;
@@ -3090,13 +3092,15 @@ static zend_result php_openssl_csr_make(struct php_x509_request * req, X509_REQ
 				}
 			}
 		}
+
+		if (!X509_REQ_set_pubkey(csr, req->priv_key)) {
+			php_openssl_store_errors();
+		}
 	} else {
 		php_openssl_store_errors();
+		return FAILURE;
 	}

-	if (!X509_REQ_set_pubkey(csr, req->priv_key)) {
-		php_openssl_store_errors();
-	}
 	return SUCCESS;
 }