Fix GH-16630: UAF in lexer with encoding translation and heredocs

zend_save_lexical_state() can be nested multiple times, for example for
the parser initialization and then in the heredoc lexing. The input
should not be freed if we restore to the same filtered string.

Closes GH-16716.

Author: nielsdos

NEWS

@@ -12,6 +12,8 @@ PHP                                                                        NEWS
     (frankenphp)). (nielsdos)
   . Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
     (nielsdos)
+  . Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
+    (nielsdos)
 
 - FPM:
   . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)

Zend/tests/gh16630.phpt

@@ -0,0 +1,19 @@
+--TEST--
+GH-16630 (UAF in lexer with encoding translation and heredocs)
+--EXTENSIONS--
+mbstring
+--INI--
+zend.multibyte=On
+zend.script_encoding=ISO-8859-1
+internal_encoding=EUC-JP
+--FILE--
+<?php
+$data3 = <<<CODE
+heredoc
+text
+CODE;
+echo $data3;
+?>
+--EXPECT--
+heredoc
+text

Zend/zend_language_scanner.l

@@ -275,7 +275,7 @@ ZEND_API void zend_restore_lexical_state(zend_lex_state *lex_state)
 	CG(zend_lineno) = lex_state->lineno;
 	zend_restore_compiled_filename(lex_state->filename);
 
-	if (SCNG(script_filtered)) {
+	if (SCNG(script_filtered) && SCNG(script_filtered) != lex_state->script_filtered) {
 		efree(SCNG(script_filtered));
 		SCNG(script_filtered) = NULL;
 	}