php
diff --git a/‎NEWS
+3 b/‎NEWS
+3
diff --git a/‎ext/iconv/iconv.c
+3-8 b/‎ext/iconv/iconv.c
+3-8
diff --git a/‎ext/iconv/tests/gh17047.phpt
+17 b/‎ext/iconv/tests/gh17047.phpt
+17
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.4.3
 
+- Iconv:
+  . Fixed bug GH-17047 (UAF on iconv filter failure). (nielsdos)
+
 - Streams:
   . Fixed bug GH-17037 (UAF in user filter when adding existing filter name due
     to incorrect error handling). (nielsdos)
 
@@ -2535,7 +2535,8 @@ static php_stream_filter_status_t php_iconv_stream_filter_do_filter(
 		if (php_iconv_stream_filter_append_bucket(self, stream, filter,
 				buckets_out, bucket->buf, bucket->buflen, &consumed,
 				php_stream_is_persistent(stream)) != SUCCESS) {
-			goto out_failure;
+			php_stream_bucket_delref(bucket);
+			return PSFS_ERR_FATAL;
 		}
 
 		php_stream_bucket_delref(bucket);
@@ -2545,7 +2546,7 @@ static php_stream_filter_status_t php_iconv_stream_filter_do_filter(
 		if (php_iconv_stream_filter_append_bucket(self, stream, filter,
 				buckets_out, NULL, 0, &consumed,
 				php_stream_is_persistent(stream)) != SUCCESS) {
-			goto out_failure;
+			return PSFS_ERR_FATAL;
 		}
 	}
 
@@ -2554,12 +2555,6 @@ static php_stream_filter_status_t php_iconv_stream_filter_do_filter(
 	}
 
 	return PSFS_PASS_ON;
-
-out_failure:
-	if (bucket != NULL) {
-		php_stream_bucket_delref(bucket);
-	}
-	return PSFS_ERR_FATAL;
 }
 /* }}} */
 
 
@@ -0,0 +1,17 @@
+--TEST--
+GH-17047 (UAF on iconv filter failure)
+--EXTENSIONS--
+iconv
+--FILE--
+<?php
+$stream = fopen('php://temp', 'w+');
+stream_filter_append($stream, 'convert.iconv.UTF-16BE.UTF-8');
+stream_filter_append($stream, 'convert.iconv.UTF-16BE.UTF-16BE');
+fputs($stream, 'test');
+rewind($stream);
+var_dump(stream_get_contents($stream));
+fclose($stream);
+?>
+--EXPECTF--
+Warning: stream_get_contents(): iconv stream filter ("UTF-16BE"=>"UTF-16BE"): invalid multibyte sequence in %s on line %d
+string(0) ""
Original file line number	Diff line number	Diff line change
`@@ -2535,7 +2535,8 @@ static php_stream_filter_status_t php_iconv_stream_filter_do_filter(`
`2535`	`2535`	`if (php_iconv_stream_filter_append_bucket(self, stream, filter,`
`2536`	`2536`	`buckets_out, bucket->buf, bucket->buflen, &consumed,`
`2537`	`2537`	`php_stream_is_persistent(stream)) != SUCCESS) {`
`2538`		`- goto out_failure;`
	`2538`	`+ php_stream_bucket_delref(bucket);`
	`2539`	`+ return PSFS_ERR_FATAL;`
`2539`	`2540`	`}`
`2540`	`2541`
`2541`	`2542`	`php_stream_bucket_delref(bucket);`
`@@ -2545,7 +2546,7 @@ static php_stream_filter_status_t php_iconv_stream_filter_do_filter(`
`2545`	`2546`	`if (php_iconv_stream_filter_append_bucket(self, stream, filter,`
`2546`	`2547`	`buckets_out, NULL, 0, &consumed,`
`2547`	`2548`	`php_stream_is_persistent(stream)) != SUCCESS) {`
`2548`		`- goto out_failure;`
	`2549`	`+ return PSFS_ERR_FATAL;`
`2549`	`2550`	`}`
`2550`	`2551`	`}`
`2551`	`2552`
`@@ -2554,12 +2555,6 @@ static php_stream_filter_status_t php_iconv_stream_filter_do_filter(`
`2554`	`2555`	`}`
`2555`	`2556`
`2556`	`2557`	`return PSFS_PASS_ON;`
`2557`		`-`
`2558`		`-out_failure:`
`2559`		`- if (bucket != NULL) {`
`2560`		`- php_stream_bucket_delref(bucket);`
`2561`		`- }`
`2562`		`- return PSFS_ERR_FATAL;`
`2563`	`2558`	`}`
`2564`	`2559`	`/* }}} */`
`2565`	`2560`