Merge branch 'PHP-8.4' into PHP-8.5

* PHP-8.4:
  ext/session: fix missing zval_ptr_dtor for retval in PS_GC_FUNC(user)

Author: Girgias

NEWS

@@ -64,6 +64,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize()
     accepts all-zero state). (iliaal)
 
+- Session:
+  . Fixed memory leak when session GC callback return a refcounted value.
+    (jorgsowa)
+
 - SPL:
   . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
     free). (Girgias)

ext/session/mod_user.c

@@ -218,6 +218,7 @@ PS_GC_FUNC(user)
 		/* Anything else is some kind of error */
 		*nrdels = -1; // Error
 	}
+	zval_ptr_dtor(&retval);
 	return *nrdels;
 }
 

ext/session/tests/user_session_module/gh_gc_retval_leak.phpt

@@ -0,0 +1,33 @@
+--TEST--
+session_gc(): user handler returning non-bool/non-int does not leak memory
+--INI--
+session.gc_probability=0
+session.save_handler=files
+--EXTENSIONS--
+session
+--FILE--
+<?php
+ob_start();
+
+// Procedural API has no return type enforcement, so gc can return a string
+// (reference-counted), which PS_GC_FUNC(user) previously did not free.
+session_set_save_handler(
+    function(string $path, string $name) { return true; },
+    function() { return true; },
+    function(string $id): string|false { return ""; },
+    function(string $id, string $data) { return true; },
+    function(string $id) { return true; },
+    function(int $max) { return str_repeat("x", random_int(100, 100)); }
+);
+
+session_start();
+$result = session_gc();
+var_dump($result);
+session_write_close();
+
+ob_end_flush();
+?>
+--EXPECTF--
+
+Deprecated: session_set_save_handler(): Providing individual callbacks instead of an object implementing SessionHandlerInterface is deprecated in %s on line %d
+bool(false)