Commit 3f7bfaf3aec for php.net

commit 3f7bfaf3aecb35ea9af75933b16e9a01371c1cbd
Author: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date:   Fri Jan 2 06:00:47 2026 -0800

    uri: Fix RFC3986 to_string implementation with ExcludeFragment returning non-terminated strings (#20811)

    zend_string_truncate() doesn't put a NUL byte.
    Right now this doesn't matter as this code path is only hittable via the
    equals() method, but if other extension (or future other code) starts
    using this code path, then it can be problematic as all user-exposed
    zend_strings need to end with a NUL byte.

diff --git a/ext/uri/uri_parser_rfc3986.c b/ext/uri/uri_parser_rfc3986.c
index 29d20258994..6c0bdec4b11 100644
--- a/ext/uri/uri_parser_rfc3986.c
+++ b/ext/uri/uri_parser_rfc3986.c
@@ -595,6 +595,7 @@ ZEND_ATTRIBUTE_NONNULL static zend_string *php_uri_parser_rfc3986_to_string(void
 		const char *pos = zend_memrchr(ZSTR_VAL(uri_string), '#', ZSTR_LEN(uri_string));
 		if (pos != NULL) {
 			uri_string = zend_string_truncate(uri_string, (pos - ZSTR_VAL(uri_string)), false);
+			ZSTR_VAL(uri_string)[ZSTR_LEN(uri_string)] = '\0';
 		}
 	}