Fix GH-13891: memleak and segfault when using ini_set with session.trans_sid_hosts

ext/session/tests/gh13891.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-13891 (memleak and segfault when using ini_set with session.trans_sid_hosts)
+--INI--
+session.use_cookies=0
+session.use_only_cookies=0
+session.use_trans_sid=1
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+// We *must* set it here because the bug only triggers on a runtime edit
+ini_set('session.trans_sid_hosts','php.net');
+session_id('sessionidhere');
+session_start();
+?>
+<p><a href="index.php">Click This Anchor Tag!</a></p>
+<p><a href="index.php#place">External link with anchor</a></p>
+<p><a href="http://php.net#foo">External link with anchor 2</a></p>
+<p><a href="#place">Internal link</a></p>
+--EXPECT--
+<p><a href="index.php?PHPSESSID=sessionidhere">Click This Anchor Tag!</a></p>
+<p><a href="index.php?PHPSESSID=sessionidhere#place">External link with anchor</a></p>
+<p><a href="http://php.net?PHPSESSID=sessionidhere#foo">External link with anchor 2</a></p>
+<p><a href="#place">Internal link</a></p>

ext/standard/url_scanner_ex.re

@@ -138,9 +138,13 @@ static int php_ini_on_update_hosts(zend_ini_entry *entry, zend_string *new_value
 		}
 		keylen = q - key;
 		if (keylen > 0) {
-			tmp_key = zend_string_init(key, keylen, 0);
+			/* Note: the hash table is persistently allocated, so the strings must be too!
+			 * FIXME: the reason this is persistent is because the tables are allocated in GINIT,
+			 *        so it survives the request. This also means that the values set by `init_set` carry
+			 *        over from request to request, which is strange... */
+			tmp_key = zend_string_init(key, keylen, true);
 			zend_hash_add_empty_element(hosts, tmp_key);
-			zend_string_release_ex(tmp_key, 0);
+			zend_string_release_ex(tmp_key, true);
 		}
 	}
 	efree(tmp);