From: Stanislav Malyshev <stas@php.net>
Date: Wed, 11 Jun 2014 06:17:30 +0000 (-0700)
Subject: Fix bug #66127 (Segmentation fault with ArrayObject unset)
X-Git-Tag: php-5.4.30RC1^0
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2b04d689724bdfd5db9351c017566e2f51d61568;p=php

Fix bug #66127 (Segmentation fault with ArrayObject unset)
---

diff --git a/NEWS b/NEWS
index 853732f5dc..f0367a8cc9 100644
--- a/NEWS
+++ b/NEWS
@@ -41,6 +41,7 @@ PHP                                                                        NEWS
   . Implemented FR #49898 (Add SoapClient::__getCookies()). (Boro Sitnikovski)
 
 - SPL:
+  . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas)
   . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence)
   . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam)
 
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 34f3a3818d..758947a8cc 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -402,7 +402,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval
 	/* When in a write context,
 	 * ZE has to be fooled into thinking this is in a reference set
 	 * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */
-	if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) {
+	if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) {
 		if (Z_REFCOUNT_PP(ret) > 1) {
 			zval *newval;
 
diff --git a/ext/spl/tests/bug66127.phpt b/ext/spl/tests/bug66127.phpt
new file mode 100644
index 0000000000..b5d1dcac4b
--- /dev/null
+++ b/ext/spl/tests/bug66127.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #66127 (Segmentation fault with ArrayObject unset)
+--INI--
+error_reporting = E_ALL & ~E_NOTICE
+--FILE--
+<?php
+function crash()
+{
+    set_error_handler(function () {});
+    $var = 1;
+    trigger_error('error');
+    $var2 = $var;
+    $var3 = $var;
+    trigger_error('error');
+}
+
+$items = new ArrayObject();
+
+unset($items[0]);
+unset($items[0][0]);
+crash();
+echo "Worked!\n";
+?>
+--EXPECT--
+Worked!
diff --git a/ext/spl/tests/iterator_035.phpt b/ext/spl/tests/iterator_035.phpt
index 9ce098b69d..fc0271e381 100644
--- a/ext/spl/tests/iterator_035.phpt
+++ b/ext/spl/tests/iterator_035.phpt
@@ -12,4 +12,6 @@ $a[] = &$tmp;
 echo "Done\n";
 ?>
 --EXPECTF--	
+Notice: Indirect modification of overloaded element of ArrayIterator has no effect in %s on line %d
+
 Fatal error: Cannot assign by reference to overloaded object in %s on line %d