Fix bug #66127 (Segmentation fault with ArrayObject unset)

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 77453d667345c9466d6b05acfa92c3b0f5abb956..f2f3f1c61b51036612f52c0619c73fa3e4308227 100644 (file)
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -408,7 +408,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval
        /* When in a write context,
         * ZE has to be fooled into thinking this is in a reference set
         * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */
-       if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) {
+       if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) {
                if (Z_REFCOUNT_PP(ret) > 1) {
                        zval *newval;
 

diff --git a/ext/spl/tests/bug66127.phpt b/ext/spl/tests/bug66127.phpt
new file mode 100644 (file)
index 0000000..b5d1dca
--- /dev/null
+++ b/ext/spl/tests/bug66127.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #66127 (Segmentation fault with ArrayObject unset)
+--INI--
+error_reporting = E_ALL & ~E_NOTICE
+--FILE--
+<?php
+function crash()
+{
+    set_error_handler(function () {});
+    $var = 1;
+    trigger_error('error');
+    $var2 = $var;
+    $var3 = $var;
+    trigger_error('error');
+}
+
+$items = new ArrayObject();
+
+unset($items[0]);
+unset($items[0][0]);
+crash();
+echo "Worked!\n";
+?>
+--EXPECT--
+Worked!

diff --git a/ext/spl/tests/iterator_035.phpt b/ext/spl/tests/iterator_035.phpt
index 9ce098b69d7c11d510a874546fabd7261374fc25..fc0271e3811d71bcf0203018cb9dd4f94a39ea1b 100644 (file)
--- a/ext/spl/tests/iterator_035.phpt
+++ b/ext/spl/tests/iterator_035.phpt
@@ -12,4 +12,6 @@ $a[] = &$tmp;
 echo "Done\n";
 ?>
 --EXPECTF--    
+Notice: Indirect modification of overloaded element of ArrayIterator has no effect in %s on line %d
+
 Fatal error: Cannot assign by reference to overloaded object in %s on line %d