Fix GH-19397: mb_list_encodings() can cause crashes on shutdown

The request shutdown does not necessarily hold the last reference, if
there is still a CV that refers to the array.

Closes GH-19405.

Author: nielsdos

NEWS

@@ -46,6 +46,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by
     php_libxml_node_free). (nielsdos)
 
+- MbString:
+  . Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown).
+    (nielsdos)
+
 - Opcache:
   . Reset global pointers to prevent use-after-free in zend_jit_status().
     (Florian Engelhardt)

ext/mbstring/mbstring.c

@@ -1165,8 +1165,8 @@ PHP_RSHUTDOWN_FUNCTION(mbstring)
 	MBSTRG(outconv_state) = 0;
 
 	if (MBSTRG(all_encodings_list)) {
-		GC_DELREF(MBSTRG(all_encodings_list));
-		zend_array_destroy(MBSTRG(all_encodings_list));
+		/* must be *array* release to remove from GC root buffer and free the hashtable itself */
+		zend_array_release(MBSTRG(all_encodings_list));
 		MBSTRG(all_encodings_list) = NULL;
 	}
 

ext/mbstring/tests/gh19397.phpt

@@ -0,0 +1,11 @@
+--TEST--
+GH-19397 (mb_list_encodings() can cause crashes on shutdown)
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+$doNotDeleteThisVariableAssignment = mb_list_encodings();
+var_dump(count($doNotDeleteThisVariableAssignment) > 0);
+?>
+--EXPECT--
+bool(true)