]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ec53b60)
Fixed bug #64106: Segfault on SplFixedArray[][x] = y when extended
authorNikita Popov <nikic@php.net>
Wed, 30 Jan 2013 19:23:39 +0000 (20:23 +0100)
committerNikita Popov <nikic@php.net>
Wed, 30 Jan 2013 19:23:39 +0000 (20:23 +0100)
NEWS patch | blob | history
ext/spl/spl_array.c patch | blob | history
ext/spl/spl_fixedarray.c patch | blob | history
ext/spl/tests/bug64106.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index 24a1ba87147f0152c17c9eb2d87846cad421d49b..c230d22c74f86d3055b95de0765f760bc7b5b97f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,9 @@ PHP                                                                        NEWS
 - FPM:
   . Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11). (Adam)
 
+- SPL:
+  . Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended). (Nikita Popov)
+
 17 Jan 2013, PHP 5.3.21
 
 - Zend Engine:
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 7c2e148f68466ee1f6180a4be96d420cf633dc30..7d6f31427de83b0e18b52b1ee683a2cfbdcd86c2 100644 (file)
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -387,7 +387,11 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval
                spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
                if (intern->fptr_offset_get) {
                        zval *rv;
-                       SEPARATE_ARG_IF_REF(offset);
+                       if (!offset) {
+                               ALLOC_INIT_ZVAL(offset);
+                       } else {
+                               SEPARATE_ARG_IF_REF(offset);
+                       }
                        zend_call_method_with_1_params(&object, Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", &rv, offset); 
                        zval_ptr_dtor(&offset);
                        if (rv) {
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 559cac2f633d2bdcaf045f14f15f9f4365adb742..1d18afd04a3f883c3bbb81e378dee3a2ace0f42f 100644 (file)
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -361,7 +361,11 @@ static zval *spl_fixedarray_object_read_dimension(zval *object, zval *offset, in
 
        if (intern->fptr_offset_get) {
                zval *rv;
-               SEPARATE_ARG_IF_REF(offset);
+               if (!offset) {
+                       ALLOC_INIT_ZVAL(offset);
+               } else {
+                       SEPARATE_ARG_IF_REF(offset);
+               }
                zend_call_method_with_1_params(&object, intern->std.ce, &intern->fptr_offset_get, "offsetGet", &rv, offset);
                zval_ptr_dtor(&offset);
                if (rv) {
diff --git a/ext/spl/tests/bug64106.phpt b/ext/spl/tests/bug64106.phpt
new file mode 100644 (file)
index 0000000..855caef
--- /dev/null
+++ b/ext/spl/tests/bug64106.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #64106: Segfault on SplFixedArray[][x] = y when extended
+--FILE--
+<?php
+
+class MyFixedArray extends SplFixedArray {
+    public function offsetGet($offset) {}
+}
+
+$array = new MyFixedArray(10);
+$array[][1] = 10;
+
+?>
+--EXPECTF--
+Notice: Indirect modification of overloaded element of MyFixedArray has no effect in %s on line %d
Unnamed repository; edit this file 'description' to name the repository.