- Fixed bug #53362 (Segmentation fault when extending SplFixedArray)

diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 4389d505b313ad2bf90abcbd6b0ae76c6b597dd6..94e93418487501133178afbf186943dcfdf88d48 100644 (file)
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -409,7 +409,11 @@ static void spl_fixedarray_object_write_dimension(zval *object, zval *offset, zv
        intern = (spl_fixedarray_object *)zend_object_store_get_object(object TSRMLS_CC);
 
        if (intern->fptr_offset_set) {
-               SEPARATE_ARG_IF_REF(offset);
+               if (!offset) {
+                       ALLOC_INIT_ZVAL(offset);
+               } else {
+                       SEPARATE_ARG_IF_REF(offset);
+               }
                SEPARATE_ARG_IF_REF(value);
                zend_call_method_with_2_params(&object, intern->std.ce, &intern->fptr_offset_set, "offsetSet", NULL, offset, value);
                zval_ptr_dtor(&value);

diff --git a/ext/spl/tests/bug53362.phpt b/ext/spl/tests/bug53362.phpt
new file mode 100644 (file)
index 0000000..70ba6e2
--- /dev/null
+++ b/ext/spl/tests/bug53362.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #53362 (Segmentation fault when extending SplFixedArray)
+--FILE--
+<?php
+
+class obj extends SplFixedArray{
+       public function offsetSet($offset, $value) {
+               var_dump($offset);
+       }
+}
+
+$obj = new obj;
+
+$obj[]=2;
+$obj[]=2;
+$obj[]=2;
+
+?>
+--EXPECTF--
+NULL
+NULL
+NULL