Commit b83a8d57685 for php.net

commit b83a8d576859fa1b09998ae85a52a4309e789522
Merge: b2d107db4fc 75cea65c997
Author: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date:   Sat May 31 15:38:06 2025 +0200

    Merge branch 'PHP-8.3' into PHP-8.4

    * PHP-8.3:
      Fix reference type confusion and leak in user random engine

diff --cc ext/random/engine_user.c
index e343bc91d48,ce68521c129..955ddebdb99
--- a/ext/random/engine_user.c
+++ b/ext/random/engine_user.c
@@@ -31,13 -32,17 +32,20 @@@ static php_random_result generate(void
  	zend_call_known_instance_method_with_0_params(s->generate_method, s->object, &retval);

  	if (EG(exception)) {
 -		return 0;
 +		return (php_random_result){
 +			.size = sizeof(uint64_t),
 +			.result = 0,
 +		};
  	}

- 	size = Z_STRLEN(retval);
+ 	if (UNEXPECTED(Z_ISREF(retval))) {
+ 		zstr = Z_STR_P(Z_REFVAL(retval));
+ 	} else {
+ 		zstr = Z_STR(retval);
+ 	}
+
+ 	/* Store generated size in a state */
+ 	size = ZSTR_LEN(zstr);

  	/* Guard for over 64-bit results */
  	if (size > sizeof(uint64_t)) {
@@@ -51,10 -57,6 +59,11 @@@
  		}
  	} else {
  		zend_throw_error(random_ce_Random_BrokenRandomEngineError, "A random engine must return a non-empty string");
++		zval_ptr_dtor(&retval);
 +		return (php_random_result){
 +			.size = sizeof(uint64_t),
 +			.result = 0,
 +		};
  	}

  	zval_ptr_dtor(&retval);