PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling

A malicious HTTP/2 client can send DATA frames whose total payload size does not match the `content-length` header sent in the preceding HEADERS frame. By sending more bytes than declared, the attacker smuggles additional content past application-level size limits; by sending fewer bytes and closing the stream early, the attacker causes applications that trust the declared length to behave incorrectly. This violates RFC 9113 §8.1.1 and is only reachable when `Psl\H2\ServerConnection` is used directly to accept untrusted client traffic.

The vulnerability resides in `Psl\H2\ServerConnection` (and the underlying `Psl\H2\Internal\StateMachine`), which failed to validate that the total bytes received in HTTP/2 DATA frames match the `content-length` header declared in the HEADERS frame. The patch adds a new test file `packages/h2/tests/unit/StateMachine/ContentLengthValidationTest.php` that exercises the missing validation logic, confirming the defect is in the server-side state machine's handling of content-length enforcement.

The patch introduces a comprehensive test suite (`ContentLengthValidationTest.php`) that validates content-length enforcement in the server-side state machine. The tests verify that DATA frames matching the declared content-length succeed, while frames exceeding or falling short of the declared length throw a `StreamException` with the message 'content-length mismatch'. Additionally, malformed content-length values (non-digit, empty, negative, hex, whitespace) are rejected, and the validation is correctly skipped when no content-length header is present. The patch does not show the production code changes, but the test expectations confirm that the fix enforces RFC 9113 §8.1.1 by rejecting mismatched payload sizes.