Fixed possible crash

diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c
index 1a8f866520e539087d15dd6802f2c26dc03849d5..e223a52a923e532b18a1ee6c0ea3773dae831ab6 100644 (file)
--- a/ext/ffi/ffi.c
+++ b/ext/ffi/ffi.c
@@ -1138,10 +1138,16 @@ static void zend_ffi_cdata_write_dim(zval *object, zval *offset, zval *value) /*
 {
        zend_ffi_cdata *cdata = (zend_ffi_cdata*)Z_OBJ_P(object);
        zend_ffi_type  *type = ZEND_FFI_TYPE(cdata->type);
-       zend_long       dim = zval_get_long(offset);
+       zend_long       dim;
        void           *ptr;
        zend_ffi_flags  is_const;
 
+       if (offset == NULL) {
+               zend_throw_error(zend_ffi_exception_ce, "Cannot add next element to object of type FFI\\CData");
+               return;
+       }
+       
+       dim = zval_get_long(offset);
        if (EXPECTED(type->kind == ZEND_FFI_TYPE_ARRAY)) {
                if (UNEXPECTED((zend_ulong)(dim) >= (zend_ulong)type->array.length)
                 && (UNEXPECTED(dim < 0) || UNEXPECTED(type->array.length != 0))) {

diff --git a/ext/ffi/tests/042.phpt b/ext/ffi/tests/042.phpt
new file mode 100644 (file)
index 0000000..05450d5
--- /dev/null
+++ b/ext/ffi/tests/042.phpt
@@ -0,0 +1,16 @@
+--TEST--
+FFI 042: Next array element
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--INI--
+ffi.enable=1
+--FILE--
+<?php
+$a = FFI::new("uint8_t[8]");
+$a[] = 0;
+?>
+--EXPECTF--
+Fatal error: Uncaught FFI\Exception: Cannot add next element to object of type FFI\CData in %sext/ffi/tests/042.php:3
+Stack trace:
+#0 {main}
+  thrown in %sext/ffi/tests/042.php on line 3
\ No newline at end of file