Commit 663e77dae5d for php.net

commit 663e77dae5dfee8b222f328cadc07f679c002848
Merge: 089fabcd931 6c1db260284
Author: Ilia Alshanetsky <ilia@ilia.ws>
Date:   Tue Jun 23 08:30:01 2026 -0400

    Merge branch 'PHP-8.5'

    * PHP-8.5:
      Fix session save-handler argv leak on recursive rejection

diff --cc ext/session/mod_user.c
index c87e9654c4e,71b18612683..71b8abdea8b
--- a/ext/session/mod_user.c
+++ b/ext/session/mod_user.c
@@@ -24,19 -27,19 +24,19 @@@ static void ps_call_handler(zval *func
  {
  	int i;
  	if (PS(in_save_handler)) {
 -		PS(in_save_handler) = 0;
 +		PS(in_save_handler) = false;
  		ZVAL_UNDEF(retval);
  		php_error_docref(NULL, E_WARNING, "Cannot call session save handler in a recursive manner");
- 		return;
- 	}
- 	PS(in_save_handler) = true;
- 	if (call_user_function(NULL, NULL, func, retval, argc, argv) == FAILURE) {
- 		zval_ptr_dtor(retval);
- 		ZVAL_UNDEF(retval);
- 	} else if (Z_ISUNDEF_P(retval)) {
- 		ZVAL_NULL(retval);
+ 	} else {
 -		PS(in_save_handler) = 1;
++		PS(in_save_handler) = true;
+ 		if (call_user_function(NULL, NULL, func, retval, argc, argv) == FAILURE) {
+ 			zval_ptr_dtor(retval);
+ 			ZVAL_UNDEF(retval);
+ 		} else if (Z_ISUNDEF_P(retval)) {
+ 			ZVAL_NULL(retval);
+ 		}
 -		PS(in_save_handler) = 0;
++		PS(in_save_handler) = false;
  	}
- 	PS(in_save_handler) = false;
  	for (i = 0; i < argc; i++) {
  		zval_ptr_dtor(&argv[i]);
  	}