Merge branch 'PHP-8.4' into PHP-8.5

* PHP-8.4:
  Fix GH-21731: Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state (#21732)

Author: TimWolla

NEWS

@@ -33,6 +33,10 @@ PHP                                                                        NEWS
   . Fix memory leak regression in openssl_pbkdf2(). (ndossche)
   . Fix a bunch of memory leaks and crashes on edge cases. (ndossche)
 
+- Random:
+  . Fixed bug GH-21731 (Random\Engine\Xoshiro256StarStar::__unserialize()
+    accepts all-zero state). (iliaal)
+
 - SPL:
   . Fixed bug GH-21499 (RecursiveArrayIterator getChildren UAF after parent
     free). (Girgias)

ext/random/engine_xoshiro256starstar.c

@@ -151,6 +151,10 @@ static bool unserialize(void *state, HashTable *data)
 		}
 	}
 
+	if (UNEXPECTED(s->state[0] == 0 && s->state[1] == 0 && s->state[2] == 0 && s->state[3] == 0)) {
+		return false;
+	}
+
 	return true;
 }
 

ext/random/tests/02_engine/xoshiro256starstar_unserialize_zero_state.phpt

@@ -0,0 +1,14 @@
+--TEST--
+GH-21731: Xoshiro256StarStar::__unserialize() must reject the all-zero state
+--FILE--
+<?php
+
+try {
+    var_dump(unserialize('O:32:"Random\Engine\Xoshiro256StarStar":2:{i:0;a:0:{}i:1;a:4:{i:0;s:16:"0000000000000000";i:1;s:16:"0000000000000000";i:2;s:16:"0000000000000000";i:3;s:16:"0000000000000000";}}'));
+} catch (\Exception $e) {
+    echo $e->getMessage(), PHP_EOL;
+}
+
+?>
+--EXPECT--
+Invalid serialization data for Random\Engine\Xoshiro256StarStar object