Fix #73753 - Unpacked Arrays and Duplication

[bp1222]

Bug was exposed in trying to call next() on an array that is not
packed. What ends up happening is when separating a call to
zend_array_dup() is called and falls into the else case for type of
array. This sets the nInternalPointer to invalid-idx, with the
expectation of being set during the zend_array_dup_elements() call.
However, there, we see that if we success duplicating the element,
we never check to see if the sources pointer is the current index.

This fix checks to see if we can dup the element, and if so, check
to see if the idx is the sources internal pointer, to set it.

[nikic]

I think this can also be solved (more efficiently) by changing the target->nInternalPointer = HT_INVALID_IDX initialization to target->nInternalPointer = source->nInternalPointer, as is done in the packed case. If the IAP is after the first hole, then the already existing code in dup_elements should take care of moving it back to the appropriate position.

[bp1222]

I was first thinking that could be a solution, however the check at the end of the else case, if (idx > 0 && target->nInternalPointer == HT_INVALID_IDX) { wouldn't make much sense if you did that, since the zend_array_dupe_elements() wouldn't ever set the nInternalPointer to the HT_INVALID_IDX.

So I could do the set, and just drop that portion setting to 0 if HT_INVALID_IDX

[nikic]

Not sure I understand. source->nInternalPointer may be HT_INVALID_IDX, in which case target->nInternPointer (after copying) would be as well. This clause resets it to zero.

[bp1222]

The way I was reading it would be that target->nInternalPointer would not again be set to HT_INVALID_INDEX through zend_array_dup_elements and zend_array_dupe_element, so the end case there in the else if (idx > 0 && target->nInternalIndex == HT_INVALID_IDX) would always fail. Unless i'm missing where the index could be set to invalid within that execution. I'll update with your comment

[nikic]

Merged via 5733fd1, thanks!