- Fixed bug #53362 (Segmentation fault when extending SplFixedArray)

diff --git a/NEWS b/NEWS
index 322c7396eb2cb642b04e8ff6126a470dace1abce..b1ced5ec4102b576575d17e8c982b790a9b425f4 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2010, PHP 5.3.4
+- Fixed bug #53362 (Segmentation fault when extending SplFixedArray). (Felipe)
 - Fixed bug #47168 (printf of floating point variable prints maximum of 40 
   decimal places). (Ilia)
 

diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index d7dd244298d5721d275a99a9575ab07d7051d997..d2005d4de48998c54c34b5a02d09003d1604db01 100644 (file)
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -409,7 +409,11 @@ static void spl_fixedarray_object_write_dimension(zval *object, zval *offset, zv
        intern = (spl_fixedarray_object *)zend_object_store_get_object(object TSRMLS_CC);
 
        if (intern->fptr_offset_set) {
-               SEPARATE_ARG_IF_REF(offset);
+               if (!offset) {
+                       ALLOC_INIT_ZVAL(offset);
+               } else {
+                       SEPARATE_ARG_IF_REF(offset);
+               }
                SEPARATE_ARG_IF_REF(value);
                zend_call_method_with_2_params(&object, intern->std.ce, &intern->fptr_offset_set, "offsetSet", NULL, offset, value);
                zval_ptr_dtor(&value);

diff --git a/ext/spl/tests/bug53362.phpt b/ext/spl/tests/bug53362.phpt
new file mode 100644 (file)
index 0000000..70ba6e2
--- /dev/null
+++ b/ext/spl/tests/bug53362.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #53362 (Segmentation fault when extending SplFixedArray)
+--FILE--
+<?php
+
+class obj extends SplFixedArray{
+       public function offsetSet($offset, $value) {
+               var_dump($offset);
+       }
+}
+
+$obj = new obj;
+
+$obj[]=2;
+$obj[]=2;
+$obj[]=2;
+
+?>
+--EXPECTF--
+NULL
+NULL
+NULL