From: Felipe Pena <felipe@php.net>
Date: Fri, 19 Nov 2010 20:07:32 +0000 (+0000)
Subject: - Fixed bug #53362 (Segmentation fault when extending SplFixedArray)
X-Git-Tag: php-5.4.0alpha1~191^2~629
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9608da9443965f8be8d611e1377bd2dff8ae2538;p=php

- Fixed bug #53362 (Segmentation fault when extending SplFixedArray)
---

diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 4389d505b3..94e9341848 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -409,7 +409,11 @@ static void spl_fixedarray_object_write_dimension(zval *object, zval *offset, zv
 	intern = (spl_fixedarray_object *)zend_object_store_get_object(object TSRMLS_CC);
 
 	if (intern->fptr_offset_set) {
-		SEPARATE_ARG_IF_REF(offset);
+		if (!offset) {
+			ALLOC_INIT_ZVAL(offset);
+		} else {
+			SEPARATE_ARG_IF_REF(offset);
+		}
 		SEPARATE_ARG_IF_REF(value);
 		zend_call_method_with_2_params(&object, intern->std.ce, &intern->fptr_offset_set, "offsetSet", NULL, offset, value);
 		zval_ptr_dtor(&value);
diff --git a/ext/spl/tests/bug53362.phpt b/ext/spl/tests/bug53362.phpt
new file mode 100644
index 0000000000..70ba6e2036
--- /dev/null
+++ b/ext/spl/tests/bug53362.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #53362 (Segmentation fault when extending SplFixedArray)
+--FILE--
+<?php
+
+class obj extends SplFixedArray{
+	public function offsetSet($offset, $value) {
+		var_dump($offset);
+	}
+}
+
+$obj = new obj;
+
+$obj[]=2;
+$obj[]=2;
+$obj[]=2;
+
+?>
+--EXPECTF--
+NULL
+NULL
+NULL