From aa216258a44955268b84754abedb775dc60dfeb9 Mon Sep 17 00:00:00 2001
From: Weilin Du <weilindu@php.net>
Date: Tue, 23 Jun 2026 01:51:24 +0800
Subject: [PATCH] ext/Intl: Fix IntlListFormatter double construction leak
 (#22394)

IntlListFormatter stores a UListFormatter pointer. Calling the constructor
again on an already initialized object overwrote the existing pointer and
leaked the previous formatter.

Follow up to the double construction fixes from GH-22386 by rejecting repeated
IntlListFormatter::__construct() calls.

Closes #22394
---
 NEWS                                             |  2 ++
 ext/intl/listformatter/listformatter_class.c     |  5 +++++
 .../listformatter/listformatter_double_ctor.phpt | 16 ++++++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 ext/intl/tests/listformatter/listformatter_double_ctor.phpt

diff --git a/NEWS b/NEWS
index cb2a8846fcba..2d5316b6a2ac 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,8 @@ PHP                                                                        NEWS
     fallback locale when a language tag cannot be canonicalized. (Weilin Du)
   . Fixed memory leaks when calling Collator::__construct() or
     Spoofchecker::__construct() twice. (Weilin Du)
+  . Fixed memory leak when calling IntlListFormatter::__construct() twice.
+    (Weilin Du)
 
 - Reflection:
   . Fixed bug GH-22324 (Ignore leading namespace separator in
diff --git a/ext/intl/listformatter/listformatter_class.c b/ext/intl/listformatter/listformatter_class.c
index e4f8b18d7dd6..d8c9c792e036 100644
--- a/ext/intl/listformatter/listformatter_class.c
+++ b/ext/intl/listformatter/listformatter_class.c
@@ -67,6 +67,11 @@ PHP_METHOD(IntlListFormatter, __construct)
         Z_PARAM_LONG(width)
     ZEND_PARSE_PARAMETERS_END();
 
+    if (LISTFORMATTER_OBJECT(obj)) {
+        zend_throw_error(NULL, "IntlListFormatter object is already constructed");
+        RETURN_THROWS();
+    }
+
     if(locale_len == 0) {
         locale = (char *)intl_locale_get_default();
     }
diff --git a/ext/intl/tests/listformatter/listformatter_double_ctor.phpt b/ext/intl/tests/listformatter/listformatter_double_ctor.phpt
new file mode 100644
index 000000000000..f8b0ca1e1633
--- /dev/null
+++ b/ext/intl/tests/listformatter/listformatter_double_ctor.phpt
@@ -0,0 +1,16 @@
+--TEST--
+IntlListFormatter double construction should not be allowed
+--EXTENSIONS--
+intl
+--FILE--
+<?php
+$formatter = new IntlListFormatter('en_US');
+
+try {
+    $formatter->__construct('en_US');
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+IntlListFormatter object is already constructed