Commit 366c38fea0b for php.net

commit 366c38fea0ba029f72c5c8be8baf285c6d2ce0be
Merge: 7c9fcfd7d8c c5ea0eb18bb
Author: Gina Peter Banyard <girgias@php.net>
Date:   Thu Jul 2 11:59:10 2026 +0100

    Merge branch 'PHP-8.5'

    * PHP-8.5:
      Update NEWS for bugfixes
      ext/dba: fix oob read on malformed length field in dba flatfile handler
      ext/exif: Fix GH-11020: spurious "Illegal IFD size" warning in exif_read_data()
      ext/session: fix GH-21314 (session GC behaviour is different since 8.4)

diff --cc NEWS
index ec9efcbe02a,fceef3f9a3c..5f3ea1ff3f6
--- a/NEWS
+++ b/NEWS
@@@ -1,57 -1,471 +1,68 @@@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 -?? ??? ????, PHP 8.5.9
 -
 -- Core:
 -  . Fixed bug GH-22290 (AST pretty printing does not correctly handle strings
 -    containing NUL). (iliaal)
 -  . Fixed bug GH-22206 (missing return in global register detection).
 -    (P3p111n0)
 +?? ??? ????, PHP 8.6.0alpha2

+ - DBA:
+   . Fixed OOB read on malformed length field in dba flatfile handler. (alhudz)
+
+ - Exif:
+   . Fixed bug GH-11020 (exif_read_data() emits a spurious "Illegal IFD size"
+     warning when an IFD is not followed by a next-IFD offset). (Eyüp Can Akman)
+
 -- Hash:
 -  . Fixed bug GH-18173 (ext/hash relies on implementation-defined malloc
 -    alignment). (iliaal)
 -
 -- Opcache:
 -  . Fixed bug GH-22158 (Tracing JIT dispatches the observer begin handler
 -    through the wrong run_time_cache slot on megamorphic calls). (ptondereau,
 -    iliaal)
 -  . Fixed bug GH-22443 (Tracing JIT SIGSEGV on megamorphic dynamic calls from
 -    an undereferenced run_time_cache map_ptr offset). (iliaal)
 -  . Fixed bug GH-21770 (Infinite recursion in property hook getter in opcache
 -    preloaded trait). (iliaal)
 -
  - OpenSSL:
 -  . Fixed timeout for supplemental read at end of a blocking stream in SSL
 -    stream wrapper. (ilutov)
 -
 -- Intl:
 -  . Fixed Locale::lookup() and locale_lookup() to return NULL instead of the
 -    fallback locale when a language tag cannot be canonicalized. (Weilin Du)
 -  . Fixed memory leaks when calling Collator::__construct() or
 -    Spoofchecker::__construct() twice. (Weilin Du)
 -  . Fixed memory leak when calling IntlListFormatter::__construct() twice.
 -    (Weilin Du)
 -  . Fixed IntlChar methods leaving stale global error state after successful
 -    calls. (Xuyang Zhang)
 -
 -- PDO_ODBC:
 -  . Fixed bug GH-20726 (Crash with ODBC connection pooling when the DSN
 -    carries no credentials). (iliaal)
 -
 -- Phar:
 -  . Fixed inconsistent handling of the magic ".phar" directory. Paths such as
 -    "/.phar" remain protected, while non-magic paths that merely start with
 -    ".phar" are handled consistently across file and directory creation,
 -    copying, ArrayAccess, stream lookup, directory iteration and extraction.
 -    (Weilin Du)
 -
 -- PHPDBG:
 -  . Fixed bug GH-17387 (Trivial crash in phpdbg lexer). (iliaal)
 -
 -- Reflection:
 -  . Fixed bug GH-22324 (Ignore leading namespace separator in
 -    ReflectionParameter::__construct()). (jorgsowa)
 -  . Fixed bug GH-22441 (ReflectionClass::hasProperty() and getProperty() ignore
 -    dynamic properties shadowing a private parent property). (iliaal)
 +  . Fixed stream_socket_get_crypto_status() after supplemental read. (ilutov)

+ - Session:
+   . Fixed bug GH-21314 (Different session garbage collector behavior between
+     PHP 8.3 and PHP 8.5). (jorgsowa)
+
 -- SPL:
 -  . Fix	class_parents for classes with leading slash in non-autoload mode.
 -    (jorgsowa)
 -  . Ignore leading back-slash in class_parents(), class_implements(), and
 -    class_uses(). (jorgsowa)
 -  . Fixed bug GH-16217 (SplFileObject::fputcsv() on an uninitialized object
 -    segfaults). (iliaal)
 -
 -- Standard:
 -  . Fixed bug GH-22395 (base_convert() outputs at most 64 characters).
 -    (Weilin Du)
 -
 -- URI:
 -  . Fixed behavior of Uri\WhatWg\Url wither methods with regards to empty
 -    opaque hosts. (kocsismate)
 -
 -02 Jul 2026, PHP 8.5.8
 +02 Jul 2026, PHP 8.6.0alpha1

  - Core:
 -  . Fixed bug GH-22280 (Incorrect compile error for goto to label preceding
 -    try/finally block). (Pratik Bhujel)
 -  . Fixed bug GH-22112 (Assertion when error handler throws during NaN to
 -    bool/string coercion). (iliaal)
 -
 -- BCMath:
 -  . Fixed issues with oversized allocations and signed overflow in bcround()
 -    and BcMath\Number::round(). (edorian)
 -
 -- Date:
 -  . Fix incorrect recurrence check of DatePeriod::createFromISO8601String().
 -    (ndossche)
 -
 -- Exif:
 -  . Read correct value for single and double tags. (ndossche)
 -
 -- GD:
 -  . Fixed bug GH-22121 (Double free in gdImageSetStyle() after
 -    overflow-triggered early return). (iliaal)
 -
 -- Intl:
 -  . Fix incorrect argument positions for invalid start/end arguments in
 -    transliterator_transliterate().
 -    (Weilin Du)
 -  . Fixed IntlTimeZone::getDisplayName() to synchronize object error state
 -    for invalid display types. (Weilin Du)
 -
 -- Lexbor:
 -  . Merge patch c3a6847. (ilutov, timwolla)
 -
 -- Opcache:
 -  . Fixed bug GH-22265 (Another tailcall vm_interrupt bug). (Levi Morrison)
 -  . Fixed bug GH-20469 (Unsafe inheritance cache replay with reentrant
 -    autoloading). (Levi Morrison)
 -  . Fixed bug GH-21972 (Corrupted variable type when a typed by-value return
 -    contains a reference wrapper). (Weilin Du)
 -
 -- Phar:
 -  . Fixed a bypass of the magic ".phar" directory protection in
 -    Phar::addEmptyDir() for paths starting with "/.phar", while allowing
 -    non-magic directory names that merely share the ".phar" prefix. (Weilin Du)
 -  . Fixed an integer underflow when parsing ZIP extra fields. (Weilin Du)
 -
 -- Reflection:
 -  . Preserve class-name case in ReflectionClass::getProperty() error messages
 -    and autoloading. (jorgsowa)
 -
 -- SOAP:
 -  . Fixed bug GH-22218 (SoapServer::handle() crash on $_SERVER not being
 -    an array). (David Carlier / Rex-Reynolds)
 -  . Fixed bug GH-22285 (Soap server requires the raw input to be passed
 -    to $server->handle). (David Carlier / ndossche)
 -
 -- Sqlite:
 -  . Fix error checks for column retrieval. (ndossche)
 -
 -- URI:
 -  . Add LEXBOR_STATIC to CFLAGS_URI on Windows so ext/uri does not see
 -    LXB_API as __declspec(dllimport) when linked statically into PHP.
 -    (Luther Monson)
 -  . Clean error logs before each Uri\WhatWg\Url wither call so that errors from
 -    previous wither calls are not returned the next time a UrlValidationError
 -    is thrown. (kocsismate)
 -
 -- Zip:
 -  . Fixed error-related memory leaks. (ndossche)
 -
 -- Zlib:
 -  . Fixed memory leak if deflate initialization fails and there is a dict.
 -    (ndossche)
 -  . Fixed memory leak in inflate_add(). (ndossche)
 -
 -02 Jun 2026, PHP 8.5.7
 -
 -- CLI:
 -  . Fixed bug GH-21901 (Stale getopt() optional value). (onthebed)
 -
 -- Core:
 -  . Fixed bug GH-22071 (JIT assertion on abstract static method call).
 -    (David Carlier)
 -
 -- Date:
 -  . Fixed bug GH-18422 (int overflow in php_date_llabs). (iliaal)
 -
 -- DOM:
 -  . Fixed bug GH-22077 (UAF in custom XPath function).
 -    (afflerbach/David Carlier)
 -
 -- Opcache:
 -  . Fixed tracing JIT crash when a VM interrupt is handled during an observed
 -    user function call. (Levi Morrison)
 -  . Fixed bug GH-21746 (Segfault with tracing JIT). (Arnaud)
 -  . Fixed bug GH-22004 (Assertion failure at ext/opcache/jit/zend_jit_trace.c).
 -    (Arnaud)
 -  . Fixed tailcall VM crash when a VM interrupt is handled from a VM helper.
 -    (Levi Morrison, Arnaud)
 -
 -- OpenSSL:
 -  . Fix compatibility issues with OpenSSL 4.0. (jordikroon, Remi)
 -
 -- Standard:
 -  . Fixed bug GH-21689 (version_compare() incorrectly handles versions ending
 -    with a dot). (timwolla)
 -
 -- URI:
 -  . Fixed CVE-2026-44927 (In uriparser before 1.0.2, there is pointer
 -    difference truncation to int in various places). (CVE-2026-44927)
 -    (Sebastian Pipping)
 -  . Fixed CVE-2026-44928 (In uriparser before 1.0.2, the function family
 -    EqualsUri can misclassify two unequal URIs as equal). (CVE-2026-44928)
 -    (Sebastian Pipping)
 -
 -07 May 2026, PHP 8.5.6
 -
 -- Core:
 -  . Fixed bug GH-19983 (GC assertion failure with fibers, generators and
 -    destructors). (iliaal)
 -  . Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang.
 +  . Added first-class callable cache to share instances for the duration of the
 +    request. (ilutov)
 +  . It is now possible to use reference assign on WeakMap without the key
 +    needing to be present beforehand. (ndossche)
 +  . Added `clamp()`. (kylekatarnls, thinkverse)
 +  . Fix OSS-Fuzz #429429090 (Failed assertion on unset() with uninitialized
 +    container). (ilutov)
 +  . Fixed GH-20564 (Don't call autoloaders with pending exception). (ilutov)
 +  . Fix deprecation now showing when accessing null key of an array with JIT.
 +    (alexandre-daubois)
 +  . Fixed bug GH-20174 (Assertion failure in
 +    ReflectionProperty::skipLazyInitialization after failed LazyProxy
 +    initialization). (Arnaud)
 +  . Enabled the TAILCALL VM on Windows when compiling with Clang >= 19 x86_64.
      (henderkes)
 -  . Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1). (ilutov)
 -  . Fixed bug GH-21478 (Forward property operations to real instance for
 -    initialized lazy proxies). (iliaal)
 -  . Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
 -  . Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving
 -    self::/parent::/static:: callables if the error handler throws). (macoaure)
 -  . Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
 -  . Fixed bug GH-21760 (Trait with class constant name conflict against
 -    enum case causes SEGV). (Pratik Bhujel)
 -
 -- CLI:
 -  . Fixed bug GH-21754 (`--rf` command line option with a method triggers
 -    ext/reflection deprecation warnings). (DanielEScherzer)
 -
 -- Curl:
 -  . Add support for brotli and zstd on Windows. (Shivam Mathur)
 -
 -- DOM:
 -  . Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits
 -    duplicate xmlns declarations after setAttributeNS()). (CVE-2026-7263)
 +  . Deprecate specifying a nullable return type for __debugInfo(). (timwolla)
 +  . Fixed bug GH-22142 (Assertion failure in zendi_try_get_long() on IS_UNDEF).
      (David Carlier)
 -
 -- FPM:
 -  . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735)
 -    (Jakub Zelenka)
 -
 -- Iconv:
 -  . Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)
 -
 -- Lexbor:
 -  . Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079)
 -    (ndossche, ilutov)
 -
 -- MBString:
 -  . Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in
 -    php_mb_check_encoding() via mb_ereg_search_init()). (CVE-2026-7259)
 -    (vi3tL0u1s)
 -  . Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()).
 -    (CVE-2026-6104) (ilutov)
 -
 -- Opcache:
 -  . Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1<<0) failed in
 -    zend_jit_use_reg). (Arnaud)
 -  . Fixed bug GH-21593 (Borked function JIT JMPNZ smart branch). (ilutov)
 -  . Fixed bug GH-21460 (COND optimization regression). (Dmitry, Arnaud)
 -  . Fixed faulty returns out of zend_try block in zend_jit_trace(). (ilutov)
 -
 -- OpenSSL:
 -  . Fix memory leak regression in openssl_pbkdf2(). (ndossche)
 -  . Fix a bunch of memory leaks and crashes on edge cases. (ndossche)
 -
 -- PDO_Firebird:
 -  . Fixed GHSA-w476-322c-wpvm (SQL injection via NUL bytes in quoted strings).
 -    (CVE-2025-14179) (SakiTakamachi)
 -
 -- PDO_PGSQL:
 -  . Fixed bug GH-21683 (pdo_pgsql throws with ATTR_PREFETCH=0
 -    on empty result set). (thomasschiet)
 -
 -- Phar:
 -  . Restore is_link handler in phar_intercept_functions_shutdown. (iliaal)
 -  . Fixed bug GH-21797 (phar: NULL dereference in Phar::webPhar() when
 -    SCRIPT_NAME is absent from SAPI environment). (iliaal)
 -  . Fix memory leak in Phar::offsetGet(). (iliaal)
 -  . Fix memory leak in phar_add_file(). (iliaal)
 -  . Fixed bug GH-21799 (phar: propagate phar_stream_flush return value from
 -    phar_stream_close). (iliaal)
 -  . Fix memory leak in phar_verify_signature() when md_ctx is invalid.
 -    (JarneClauw)
 -
 -- Random:
 -  . Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize()
 -    accepts all-zero state). (iliaal)
 -
 -- Session:
 -  . Fixed memory leak when session GC callback return a refcounted value.
 -    (jorgsowa)
 -
 -- SOAP:
 -  . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache
 -    Map). (CVE-2026-6722) (ilutov)
 -  . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with
 -    SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov)
 -  . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check).
 -    (CVE-2026-7262) (ilutov)
 -
 -- SPL:
 -  . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
 -    free). (Girgias)
 -  . Fix concurrent iteration and deletion issues in SplObjectStorage.
 -    (ndossche)
 -
 -- Sqlite3:
 -  . Fixed wrong free list comparator pointer type. (David Carlier)
 -
 -- Standard:
 -  . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset).
 -    (CVE-2026-7568) (TimWolla)
 -  . Fixed GHSA-m8rr-4c36-8gq4 (Consistently pass unsigned char to ctype.h
 -    functions). (CVE-2026-7258) (ilutov)
 -
 -- Streams:
 -  . Fixed bug GH-21468 (Segfault in file_get_contents w/ a https URL
 -    and a proxy set). (ndossche)
 -
 -- URI:
 -  . Fixed CVE-2026-42371 (uriparser before 1.0.1 has numeric truncation in
 -    text range comparison). (CVE-2026-42371) (Joshua W. Windle)
 -
 -26 Mar 2026, PHP 8.5.5
 -
 -- Core:
 -  . Fixed bug GH-20672 (Incorrect property_info sizing for locally shadowed
 -    trait properties). (ilutov)
 -  . Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in
 -    get_property_ptr_ptr for lazy proxies). (iliaal)
 -
 -- Bz2:
 -  . Fix truncation of total output size causing erroneous errors. (ndossche)
 -
 -- DOM:
 -  . Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and
 -    xml:lang attributes). (ndossche)
 -
 -- FFI:
 -  . Fixed resource leak in FFI::cdef() onsymbol resolution failure.
 -    (David Carlier)
 -
 -- GD:
 -  . Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support).
 -    (David Carlier)
 -
 -- Opcache:
 -  . Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached
 -    script). (ilutov)
 -  . Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results).
 -    (Dmitry, iliaal)
 -  . Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with
 -    IS_UNDEF property in polymorphic context). (Dmitry, iliaal)
 -  . Fixed bug GH-21395 (uaf in jit). (ndossche)
 -
 -- OpenSSL:
 -  . Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based
 -    keys). (iliaal)
 -  . Fix missing error propagation for BIO_printf() calls. (ndossche)
 -
 -- PCNTL:
 -  . Fixed signal handler installation on AIX by bumping the storage size of the
 -    num_signals global. (Calvin Buckley)
 -
 -- PCRE:
 -  . Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl,
 -    php_pcre_split_impl, and php_pcre_grep_impl. (David Carlier)
 -
 -- Phar:
 -  . Fixed bug GH-21333 (use after free when unlinking entries during iteration
 -    of a compressed phar). (David Carlier)
 -
 -- SNMP:
 -  . Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with
 -    NULL arguments). (David Carlier)
 -
 -- SOAP:
 -  . Fixed Set-Cookie parsing bug wrong offset while scanning attributes.
 +  . Fixed bug GH-22046 (The unserialize function can lead to segfault when
 +    non-Serializable internal classes are serialized back with the C format).
 +    (kocsismate)
 +  . Fixed bug GH-22292 (AST pretty printing does not correctly handle invalid
 +    variable names). (timwolla)
 +  . Fixed bug GH-22291 (AST pretty printing does not correctly handle braces in
 +    string interpolation). (timwolla)
 +  . Fixed bug GH-22373 (AST pretty-printing drops meaningful parentheses
 +    surrounding property access). (timwolla)
 +  . Fixed GH-22422 (zend_arena layout mismatch leaked memory in separately
 +    built extensions under AddressSanitizer). (iliaal)
 +  . TSRM: use local-exec TLS in PIE executables. (henderkes)
 +  . perf: make all static extensions use TSRMG_STATIC. (henderkes)
 +  . Fixed bug GH-22257 (type confusion in Exception::getTraceAsString()).
      (David Carlier)
 +  . TSRM: make CG, EG, SCNG and AG compile-time offsets. (henderkes)
 +  . Deprecate returning values from __construct() and __destruct(). (timwolla)

 -- SPL:
 -  . Fixed bug GH-21454 (missing write lock validation in SplHeap).
 -    (ndossche)
 -
 -- Standard:
 -  . Fixed bug GH-20906 (Assertion failure when messing up output buffers).
 -    (ndossche)
 -  . Fixed bug GH-20627 (Cannot identify some avif images with getimagesize).
 -    (y-guyon)
 -  . Fixed bug GH-22171 (Invalid auth header generation in
 -    http(s) stream wrapper). (David Carlier)
 -
 -- Sysvshm:
 -  . Fix memory leak in shm_get_var() when variable is corrupted. (ndossche)
 -
 -- XSL:
 -  . Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with
 -    Dom\XMLDocument). (ndossche)
 -  . Fixed bug GH-21496 (UAF in dom_objects_free_storage).
 -    (David Carlier/ndossche)
 -
 -12 Mar 2026, PHP 8.5.4
 +- BCMath:
 +  . Added NUL-byte validation to BCMath functions. (jorgsowa)

 -- Core:
 -  . Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). (Arnaud)
 -  . Fixed bug GH-21059 (Segfault when preloading constant AST closure). (ilutov)
 -  . Fixed bug GH-21072 (Crash on (unset) cast in constant expression).
 -    (arshidkv12)
 -  . Fix deprecation now showing when accessing null key of an array with JIT.
 -    (alexandre-daubois)
 -  . Fixed bug GH-20657 (Assertion failure in zend_lazy_object_get_info triggered
 -    by setRawValueWithoutLazyInitialization() and newLazyGhost()). (Arnaud)
 -  . Fixed bug GH-20504 (Assertion failure in zend_get_property_guard when
 -    accessing properties on Reflection LazyProxy via isset()). (Arnaud)
 -  . Fixed OSS-Fuzz #478009707 (Borked assign-op/inc/dec on untyped hooked
 -    property backing value). (ilutov)
 -  . Fixed bug GH-21215 (Build fails with -std=). (Arnaud)
 -  . Fixed bug GH-13674 (Build system installs libtool wrappers when using
 -    slibtool). (Michael Orlitzky)
 +- BZ2:
 +  . Reject oversized input in bzdecompress(). (arshidkv12)

  - Curl:
 -  . Don't truncate length. (ndossche)
 -
 -- Date:
 -  . Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start).
 -    (ndossche)
 -  . Fix timezone offset with seconds losing precision. (ndossche)
 -
 -- DOM:
 -  . Fixed bug GH-21077 (Accessing Dom\Node::baseURI can throw TypeError).
 -    (ndossche)
 -  . Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError).
 -    (ndossche)
 -
 -- LDAP:
 -  . Fixed bug GH-21262 (ldap_modify() too strict controls argument validation
 -    makes it impossible to unset attribute). (David Carlier)
 -
 -- MBString:
 -  . Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge
 -    list of candidate encodings (with 200,000+ entries). (Jordi Kroon)
 -
 -- Opcache:
 -  . Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris).
 -    (Petr Sumbera)
 -  . Fixed bug GH-21227 (Borked SCCP of array containing partial object).
 -    (ilutov)
 -
 -- OpenSSL:
 -  . Fix a bunch of leaks and error propagation. (ndossche)
 -
 -- Windows:
 -  . Fixed compilation with clang (missing intrin.h include). (Kévin Dunglas)
 -
 -29 Jan 2026, PHP 8.5.3
 -
 -- Core:
 -  . Fixed bug GH-20806 (preserve_none feature compatiblity with LTO).
 -    (henderkes)
 -  . Fixed bug GH-20767 (build failure with musttail/preserve_none feature
 -    on macOs). (David Carlier)
 -  . Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown
 -    function triggered by bailout in php_output_lock_error()). (timwolla)
 -  . Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). (ilutov)
 -  . Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). (ilutov)
 -  . Fixed bug GH-20914 (Internal enums can be cloned and compared). (Arnaud)
 -  . Fix OSS-Fuzz #474613951 (Leaked parent property default value). (ilutov)
 -  . Fixed bug GH-20895 (ReflectionProperty does not return the PHPDoc of a
 -    property if it contains an attribute with a Closure). (timwolla)
 -  . Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). (Bob)
 -  . Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked
 -    backing value). (ilutov)
 -  . Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may
 -    uaf). (ilutov)
 -  . Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). (ilutov)
 -  . Fixed bug GH-20479 (Hooked object properties overflow). (ndossche)
 +  . Add support for CURLINFO_SIZE_DELIVERED (libcurl >= 8.20.0). (Ayesh)

  - Date:
    . Update timelib to 2022.16. (Derick)
diff --cc ext/session/php_session.h
index 08c08b9a024,eb203012137..2a1d782fd72
--- a/ext/session/php_session.h
+++ b/ext/session/php_session.h
@@@ -179,10 -198,12 +179,11 @@@ typedef struct _php_ps_globals
  	bool rfc1867_enabled; /* session.upload_progress.enabled */
  	bool rfc1867_cleanup; /* session.upload_progress.cleanup */

 -	bool use_strict_mode; /* whether or not PHP accepts unknown session ids */
 -	bool lazy_write; /* omit session write when it is possible */
 -	bool in_save_handler; /* state if session is in save handler or not */
 -	bool set_handler;     /* state if session module i setting handler or not */
 +	bool mod_user_implemented;
 +	bool mod_user_is_open;
 +	bool mod_user_uses_object_methods_as_handlers;
 +	bool use_trans_sid; /* contains the INI value of whether to use trans-sid */
+ 	bool random_seeded;
 -	zend_string *session_vars; /* serialized original session data */
  } php_ps_globals;

  typedef php_ps_globals zend_ps_globals;