Stale array iterator pointer

Fixes GH-19613

Author: iluuu1994

Zend/tests/gh19613.phpt

@@ -0,0 +1,22 @@
+--TEST--
+GH-19613: Invalidated array iterator pointer after array separation
+--FILE--
+<?php
+
+$a = [1];
+$i = 0;
+
+foreach ($a as &$v) {
+    $a[0] = $a;
+    foreach ($v as &$w) {
+        $w = $a;
+
+        if ($i++ == 64) {
+            die("===DONE===\n");
+        }
+    }
+}
+
+?>
+--EXPECT--
+===DONE===

Zend/zend_hash.c

@@ -630,8 +630,15 @@ ZEND_API HashPosition ZEND_FASTCALL zend_hash_iterator_pos_ex(uint32_t idx, zval
 				&& EXPECTED(!HT_ITERATORS_OVERFLOW(ht))) {
 			HT_DEC_ITERATORS_COUNT(iter->ht);
 		}
-		SEPARATE_ARRAY(array);
-		ht = Z_ARRVAL_P(array);
+
+		/* Inlined SEPARATE_ARRAY() with updating of iterator when EG(ht_iterators) grows. */
+		if (UNEXPECTED(GC_REFCOUNT(ht) > 1)) {
+			ZVAL_ARR(array, zend_array_dup(ht));
+			GC_TRY_DELREF(ht);
+			iter = EG(ht_iterators) + idx;
+			ht = Z_ARRVAL_P(array);
+		}
+
 		if (EXPECTED(!HT_ITERATORS_OVERFLOW(ht))) {
 			HT_INC_ITERATORS_COUNT(ht);
 		}