Merge branch 'PHP-8.5'

* PHP-8.5:
  ext/spl: Fix SplFixedArray::setSize leak when destructor grows during clear.

Author: devnexen

ext/spl/spl_fixedarray.c

@@ -170,18 +170,18 @@ static void spl_fixedarray_resize(spl_fixedarray *array, zend_long size)
 		return;
 	}
 
-	/* first initialization */
-	if (array->size == 0) {
-		spl_fixedarray_init(array, size);
-		return;
-	}
-
 	if (UNEXPECTED(array->cached_resize >= 0)) {
 		/* We're already resizing, so just remember the desired size.
 		 * The resize will happen later. */
 		array->cached_resize = size;
 		return;
 	}
+	/* first initialization */
+	if (array->size == 0) {
+		spl_fixedarray_init(array, size);
+		return;
+	}
+
 	array->cached_resize = size;
 
 	/* clearing the array */

ext/spl/tests/SplFixedArray_setSize_destruct_grow_during_clear.phpt

@@ -0,0 +1,28 @@
+--TEST--
+SplFixedArray::setSize: grow re-entrantly during clear (setSize(0))
+--FILE--
+<?php
+class Reentrant {
+    public ?SplFixedArray $arr = null;
+    public function __destruct() {
+        if ($this->arr !== null) {
+            $this->arr->setSize(5);
+        }
+    }
+}
+
+$arr = new SplFixedArray(2);
+$r = new Reentrant();
+$r->arr = $arr;
+$arr[0] = $r;
+unset($r);
+$arr[1] = "tail";
+
+$arr->setSize(0);
+echo "size: ", $arr->getSize(), "\n";
+$arr[0] = "ok";
+var_dump($arr[0]);
+?>
+--EXPECT--
+size: 5
+string(2) "ok"