Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
  Fix GH-16998: UBSAN warning in rfc1867

NEWS

@@ -37,6 +37,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-16879 (JIT dead code skipping does not update call_level).
     (nielsdos)
 
+- SAPI:
+  . Fixed bug GH-16998 (UBSAN warning in rfc1867). (nielsdos)
+
 - PHPDBG:
   . Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).
     (nielsdos)

main/rfc1867.c

@@ -319,8 +319,8 @@ static char *next_line(multipart_buffer *self)
 		}
 		/* return entire buffer as a partial line */
 		line[self->bufsize] = 0;
-		self->buf_begin = ptr;
 		self->bytes_in_buffer = 0;
+		/* Let fill_buffer() handle the reset of self->buf_begin */
 	}
 
 	return line;

tests/basic/gh16998.phpt

@@ -0,0 +1,49 @@
+--TEST--
+GH-16998 (UBSAN warning in rfc1867)
+--SKIPIF--
+<?php
+if (!getenv('TEST_PHP_CGI_EXECUTABLE')) {
+    die("skip php-cgi not available");
+}
+?>
+--FILE--
+<?php
+const FILLUNIT = 5 * 1024;
+$cmd = [
+    getenv('TEST_PHP_CGI_EXECUTABLE'),
+    '-C',
+    '-n',
+    __DIR__ . '/GHSA-9pqp-7h25-4f32.inc',
+];
+$boundary = str_repeat('A', FILLUNIT);
+$body = ""
+    . "--$boundary\r\n"
+    . "Content-Disposition: form-data; name=\"koko\"\r\n"
+    . "\r\n"
+    . "BBB\r\n--" . substr($boundary, 0, -1) . "CCC\r\n"
+    . "--$boundary--\r\n"
+    ;
+$env = array_merge($_ENV, [
+    'REDIRECT_STATUS' => '1',
+    'CONTENT_TYPE' => "multipart/form-data; boundary=",
+    'CONTENT_LENGTH' => strlen($body),
+    'REQUEST_METHOD' => 'POST',
+    'SCRIPT_FILENAME' => __DIR__ . '/GHSA-9pqp-7h25-4f32.inc',
+]);
+$spec = [
+    0 => ['pipe', 'r'],
+    1 => STDOUT,
+    2 => STDOUT,
+];
+$pipes = [];
+$handle = proc_open($cmd, $spec, $pipes, getcwd(), $env);
+fwrite($pipes[0], $body);
+proc_close($handle);
+?>
+--EXPECTF--
+X-Powered-By: PHP/%s
+Content-type: text/html; charset=UTF-8
+
+Hello world
+array(0) {
+}