From 3f7bfaf3aecb35ea9af75933b16e9a01371c1cbd Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Fri, 2 Jan 2026 06:00:47 -0800
Subject: [PATCH] uri: Fix RFC3986 to_string implementation with
 ExcludeFragment returning non-terminated strings (#20811)

zend_string_truncate() doesn't put a NUL byte.
Right now this doesn't matter as this code path is only hittable via the
equals() method, but if other extension (or future other code) starts
using this code path, then it can be problematic as all user-exposed
zend_strings need to end with a NUL byte.
---
 ext/uri/uri_parser_rfc3986.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ext/uri/uri_parser_rfc3986.c b/ext/uri/uri_parser_rfc3986.c
index 29d20258994..6c0bdec4b11 100644
--- a/ext/uri/uri_parser_rfc3986.c
+++ b/ext/uri/uri_parser_rfc3986.c
@@ -595,6 +595,7 @@ ZEND_ATTRIBUTE_NONNULL static zend_string *php_uri_parser_rfc3986_to_string(void
 		const char *pos = zend_memrchr(ZSTR_VAL(uri_string), '#', ZSTR_LEN(uri_string));
 		if (pos != NULL) {
 			uri_string = zend_string_truncate(uri_string, (pos - ZSTR_VAL(uri_string)), false);
+			ZSTR_VAL(uri_string)[ZSTR_LEN(uri_string)] = '\0';
 		}
 	}