GHSA-pw9p-jvrm-f7rm

## Impact

`Psl\H2\ServerConnection` does not validate that the total bytes received in DATA frames match the `content-length` header declared in the HEADERS frame, in violation of RFC 9113 §8.1.1.

A malicious client can: - Send more DATA bytes than declared, smuggling additional content past application-level size limits. - Send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly.

The vulnerability is only reachable for consumers using `Psl\H2\ServerConnection` directly to accept untrusted client traffic. The high-level `Psl\HTTP\Server` is in active development and was not yet released at the time of this advisory; consumers of documented high-level PSL APIs are not affected.

## Patches

Fixed in [6.1.2](https://github.com/php-standard-library/php-standard-library/releases/tag/6.1.2) and [6.2.1](https://github.com/php-standard-library/php-standard-library/releases/tag/6.2.1).

- Parses and validates the `content-length` header on incoming HEADERS (server-side only — clients do not enforce this per RFC 9110 §9.3.2). - Tracks cumulative DATA frame payload length per stream. - Throws `StreamException` on mismatch or overflow.

Regression tests landed in [#781](https://github.com/php-standard-library/php-standard-library/pull/781), 9 of the new tests fail against the pre-fix code, proving the validation boundary is enforced.

## Workarounds

None at the protocol layer. Applications using `Psl\H2\ServerConnection` directly should upgrade.

## Resources

- RFC 9113 §8.1.1 (HTTP/2 request/response exchange) - RFC 9110 §8.6 (content-length header) - https://github.com/php-standard-library/php-standard-library/releases/tag/6.1.2 - https://github.com/php-standard-library/php-standard-library/releases/tag/6.2.1