Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
  Fix GH-16604: Memory leaks in SPL constructors

NEWS

@@ -35,6 +35,7 @@ PHP                                                                        NEWS
   . Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed
     SplFileObject::__constructor). (Girgias)
   . Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()). (nielsdos)
+  . Fixed bug GH-16604 (Memory leaks in SPL constructors). (nielsdos)
 
 - SysVShm:
   . Fixed bug GH-16591 (Assertion error in shm_put_var). (nielsdos, cmb)

ext/spl/spl_directory.c

@@ -2027,6 +2027,12 @@ PHP_METHOD(SplFileObject, __construct)
 		RETURN_THROWS();
 	}
 
+	/* Prevent reinitialization of Object */
+	if (UNEXPECTED(intern->u.file.stream)) {
+		zend_throw_error(NULL, "Cannot call constructor twice");
+		RETURN_THROWS();
+	}
+
 	intern->u.file.open_mode = zend_string_copy(open_mode);
 	/* file_name and zcontext are copied by spl_filesystem_file_open() */
 	intern->file_name = file_name;
@@ -2070,7 +2076,7 @@ PHP_METHOD(SplTempFileObject, __construct)
 	}
 
 	/* Prevent reinitialization of Object */
-	if (intern->u.file.stream) {
+	if (UNEXPECTED(intern->u.file.stream)) {
 		zend_throw_error(NULL, "Cannot call constructor twice");
 		RETURN_THROWS();
 	}

ext/spl/spl_iterators.c

@@ -524,6 +524,20 @@ static zend_result spl_get_iterator_from_aggregate(zval *retval, zend_class_entr
 	return SUCCESS;
 }
 
+static void spl_RecursiveIteratorIterator_free_iterators(spl_recursive_it_object *object)
+{
+	if (object->iterators) {
+		while (object->level >= 0) {
+			zend_object_iterator *sub_iter = object->iterators[object->level].iterator;
+			zend_iterator_dtor(sub_iter);
+			zval_ptr_dtor(&object->iterators[object->level].zobject);
+			object->level--;
+		}
+		efree(object->iterators);
+		object->iterators = NULL;
+	}
+}
+
 static void spl_recursive_it_it_construct(INTERNAL_FUNCTION_PARAMETERS, zend_class_entry *ce_base, zend_class_entry *ce_inner, recursive_it_it_type rit_type)
 {
 	zval *object = ZEND_THIS;
@@ -594,6 +608,7 @@ static void spl_recursive_it_it_construct(INTERNAL_FUNCTION_PARAMETERS, zend_cla
 	}
 
 	intern = Z_SPLRECURSIVE_IT_P(object);
+	spl_RecursiveIteratorIterator_free_iterators(intern);
 	intern->iterators = emalloc(sizeof(spl_sub_iterator));
 	intern->level = 0;
 	intern->mode = mode;
@@ -640,6 +655,7 @@ static void spl_recursive_it_it_construct(INTERNAL_FUNCTION_PARAMETERS, zend_cla
 	intern->iterators[0].getchildren = NULL;
 
 	if (EG(exception)) {
+		// TODO: use spl_RecursiveIteratorIterator_free_iterators
 		zend_object_iterator *sub_iter;
 
 		while (intern->level >= 0) {
@@ -912,16 +928,7 @@ static void spl_RecursiveIteratorIterator_free_storage(zend_object *_object)
 {
 	spl_recursive_it_object *object = spl_recursive_it_from_obj(_object);
 
-	if (object->iterators) {
-		while (object->level >= 0) {
-			zend_object_iterator *sub_iter = object->iterators[object->level].iterator;
-			zend_iterator_dtor(sub_iter);
-			zval_ptr_dtor(&object->iterators[object->level].zobject);
-			object->level--;
-		}
-		efree(object->iterators);
-		object->iterators = NULL;
-	}
+	spl_RecursiveIteratorIterator_free_iterators(object);
 
 	zend_object_std_dtor(&object->std);
 	for (size_t i = 0; i < 6; i++) {

ext/spl/tests/gh16604_1.phpt

@@ -0,0 +1,15 @@
+--TEST--
+GH-16604 (Memory leaks in SPL constructors) - recursive iterators
+--FILE--
+<?php
+
+$traversable = new RecursiveArrayIterator( [] );
+
+$obj = new RecursiveIteratorIterator( $traversable );
+$obj->__construct( $traversable );
+
+$obj = new RecursiveTreeIterator( $traversable );
+$obj->__construct( $traversable );
+
+?>
+--EXPECT--

ext/spl/tests/gh16604_2.phpt

@@ -0,0 +1,21 @@
+--TEST--
+GH-16604 (Memory leaks in SPL constructors) - SplFileObject
+--FILE--
+<?php
+
+file_put_contents(__DIR__.'/gh16604_2.tmp', 'hello');
+
+$obj = new SplFileObject(__DIR__.'/gh16604_2.tmp');
+try {
+    $obj->__construct(__DIR__.'/gh16604_2.tmp');
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__.'/gh16604_2.tmp');
+?>
+--EXPECT--
+Cannot call constructor twice