merge revision(s) 2214bcb70d9f9120f1f3790ca340236c8f080991: [Backport #19792]

	Fix premature string collection during append

	Previously, the following crashed due to use-after-free
	with AArch64 Alpine Linux 3.18.3 (aarch64-linux-musl):

	```ruby
	str = 'a' * (32*1024*1024)
	p({z: str})
	```

	32 MiB is the default for `GC_MALLOC_LIMIT_MAX`, and the crash
	could be dodged by setting `RUBY_GC_MALLOC_LIMIT_MAX` to large values.
	Under a debugger, one can see the `str2` of rb_str_buf_append()
	getting prematurely collected while str_buf_cat4() allocates capacity.

	Add GC guards so the buffer of `str2` lives across the GC run
	initiated in str_buf_cat4().

	[Bug #19792]
	---
	 string.c | 2 ++
	 1 file changed, 2 insertions(+)

2 files changed, 3 insertions, 1 deletions

diff --git a/string.c b/string.c
index b48c54adf9..2d16c910c8 100644
--- a/string.c
+++ b/string.c
@@ -3298,6 +3298,7 @@ rb_str_buf_append(VALUE str, VALUE str2)
           case ENC_CODERANGE_7BIT:
             // If RHS is 7bit we can do simple concatenation
             str_buf_cat4(str, RSTRING_PTR(str2), RSTRING_LEN(str2), true);
+            RB_GC_GUARD(str2);
             return str;
           case ENC_CODERANGE_VALID:
             // If RHS is valid, we can do simple concatenation if encodings are the same
@@ -3307,6 +3308,7 @@ rb_str_buf_append(VALUE str, VALUE str2)
                 if (UNLIKELY(str_cr != ENC_CODERANGE_VALID)) {
                     ENC_CODERANGE_SET(str, RB_ENC_CODERANGE_AND(str_cr, str2_cr));
                 }
+                RB_GC_GUARD(str2);
                 return str;
             }
         }
diff --git a/version.h b/version.h
index c94967bf56..b1cf86767a 100644
--- a/version.h
+++ b/version.h
@@ -11,7 +11,7 @@
 # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR
 #define RUBY_VERSION_TEENY 2
 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR
-#define RUBY_PATCHLEVEL 118
+#define RUBY_PATCHLEVEL 119
 
 #include "ruby/version.h"
 #include "ruby/internal/abi.h"