Merge branch 'PHP-8.4' into PHP-8.5

* PHP-8.4:
  Fix use-after-free when ArrayObject sort comparator replaces backing store

Author: iliaal

ext/spl/spl_array.c

@@ -928,6 +928,10 @@ static zend_result spl_array_skip_protected(spl_array_object *intern, HashTable
 static void spl_array_set_array(zval *object, spl_array_object *intern, zval *array, zend_long ar_flags, bool just_array) {
 	/* Handled by ZPP prior to this, or for __unserialize() before passing to here */
 	ZEND_ASSERT(Z_TYPE_P(array) == IS_ARRAY || Z_TYPE_P(array) == IS_OBJECT);
+	if (intern->nApplyCount > 0) {
+		zend_throw_error(NULL, "Modification of ArrayObject during sorting is prohibited");
+		return;
+	}
 	zval garbage;
 	ZVAL_UNDEF(&garbage);
 	if (Z_TYPE_P(array) == IS_ARRAY) {

ext/spl/tests/ArrayObject_construct_during_sorting.phpt

@@ -0,0 +1,34 @@
+--TEST--
+Can't use __construct() to replace the backing store while ArrayObject is being sorted
+--FILE--
+<?php
+
+$ao = new ArrayObject([1, 2, 3]);
+$other = new ArrayObject([4, 5, 6]);
+$i = 0;
+$ao->uasort(function($a, $b) use ($ao, $other, &$i) {
+    if ($i++ == 0) {
+        try {
+            $ao->__construct($other);
+        } catch (Error $e) {
+            echo $e->getMessage(), "\n";
+        }
+    }
+    return $a <=> $b;
+});
+var_dump($ao);
+
+?>
+--EXPECT--
+Modification of ArrayObject during sorting is prohibited
+object(ArrayObject)#1 (1) {
+  ["storage":"ArrayObject":private]=>
+  array(3) {
+    [0]=>
+    int(1)
+    [1]=>
+    int(2)
+    [2]=>
+    int(3)
+  }
+}