Fix heap-use-after-free in stream_socket_accept during coroutine cancellation

Add CHANGELOG entry for 0.6.6 and regression test.

The actual fix is in php-src: network_async_accept_incoming() and
php_network_accept_incoming_ex() borrowed the exception message string
without addref, causing UAF when the caller released it.

Author: EdmondDantes

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 - **`Scope::awaitCompletion()` not marking cancellation Future as used**: The cancellation token passed to `awaitCompletion()` was never marked with `RESULT_USED` / `EXC_CAUGHT`, causing a spurious "Future was never used" warning when the Future was destroyed. Additionally, early return paths (scope already finished, closed, or cancelled) skipped the marking entirely. Fixed by setting flags immediately after parameter parsing, before any early returns.
 - **`Scope::awaitAfterCancellation()` not marking cancellation Future as used**: Same issue as `awaitCompletion()` — the optional cancellation Future was only marked when the method reached `resume_when`, but early returns bypassed it. Fixed identically.
+- **Heap-use-after-free in `stream_socket_accept()` during coroutine cancellation**: When a coroutine blocked in `stream_socket_accept()` was cancelled during graceful shutdown, `network_async_accept_incoming()` extracted the exception's message string into `*error_string` without incrementing its refcount (`*error_string = Z_STR_P(message)`). The caller then called `zend_string_release_ex()`, freeing the string while the exception object still referenced it. On exception destruction, `zend_object_std_dtor` accessed the freed string — heap-use-after-free. Fixed by using `zend_string_copy()` to properly addref the borrowed string. Same bug existed in the synchronous path `php_network_accept_incoming_ex()` in `main/network.c` — fixed there too.
 
 ## [0.6.5] - 2026-03-29
 

tests/stream/045-accept_cancel_uaf.phpt

@@ -0,0 +1,57 @@
+--TEST--
+Stream: stream_socket_accept() cancellation does not cause use-after-free
+--DESCRIPTION--
+When a coroutine blocked in stream_socket_accept() is cancelled during graceful
+shutdown, the error_string from network_async_accept_incoming must properly
+addref the exception message string. Otherwise, the caller releases it
+(zend_string_release_ex), freeing the string while the exception object still
+references it — causing heap-use-after-free on exception destruction.
+--FILE--
+<?php
+
+use Async\Scope;
+
+$server = stream_socket_server('tcp://127.0.0.1:0', $errno, $errstr);
+if (!$server) {
+    die("Failed to create server: $errstr ($errno)\n");
+}
+
+$address = stream_socket_get_name($server, false);
+echo "Server listening on $address\n";
+
+stream_set_blocking($server, false);
+
+$scope = Scope::inherit()->asNotSafely();
+
+// Coroutine that blocks on stream_socket_accept — will be cancelled during
+// graceful shutdown when the sibling coroutine throws.
+$scope->spawn(function () use ($server) {
+    echo "Coroutine 1: waiting for connection\n";
+    $client = @stream_socket_accept($server, 30);
+    echo "Coroutine 1: done\n";
+});
+
+// Coroutine that throws to trigger graceful shutdown of the scope
+$scope->spawn(function () {
+    echo "Coroutine 2: throwing\n";
+    throw new \RuntimeException("Trigger graceful shutdown");
+});
+
+try {
+    $scope->awaitCompletion(\Async\timeout(5000));
+} catch (\Throwable $e) {
+    echo "Caught: " . $e::class . ": " . $e->getMessage() . "\n";
+}
+
+echo "Cleaning up\n";
+fclose($server);
+echo "Done\n";
+
+?>
+--EXPECTF--
+Server listening on %s
+Coroutine 1: waiting for connection
+Coroutine 2: throwing
+Caught: RuntimeException: Trigger graceful shutdown
+Cleaning up
+Done