From 13bcf685cb0a92e502ebe39f4b22c64304a9f333 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Thu, 23 Aug 2012 23:27:16 +0800
Subject: [PATCH] Fixed bug #62904 (Crash when cloning an object which inherits
 SplFixedArray)

---
 NEWS                        |  2 ++
 ext/spl/spl_fixedarray.c    | 12 ++++++++----
 ext/spl/tests/bug62904.phpt | 19 +++++++++++++++++++
 3 files changed, 29 insertions(+), 4 deletions(-)
 create mode 100644 ext/spl/tests/bug62904.phpt

diff --git a/NEWS b/NEWS
index 8492aa6c6b..9af7977fee 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,8 @@ PHP                                                                        NEWS
   . Fixed bug (segfault due to retval is not initialized). (Laruence)
 
 - SPL:
+  . Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)
+    (Laruence)
   . Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance
     gives Segmentation fault). (Laruence, Gustavo)
 
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index ee8f51eb33..0aac6d3f30 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -223,10 +223,14 @@ static zend_object_value spl_fixedarray_object_new_ex(zend_class_entry *class_ty
 	if (orig && clone_orig) {
 		spl_fixedarray_object *other = (spl_fixedarray_object*)zend_object_store_get_object(orig TSRMLS_CC);
 		intern->ce_get_iterator = other->ce_get_iterator;
-
-		intern->array = emalloc(sizeof(spl_fixedarray));
-		spl_fixedarray_init(intern->array, other->array->size TSRMLS_CC);
-		spl_fixedarray_copy(intern->array, other->array TSRMLS_CC);
+		if (!other->array) {
+			/* leave a empty object, will be dtor later by CLONE handler */
+			zend_throw_exception(spl_ce_RuntimeException, "The instance wasn't initialized properly", 0 TSRMLS_CC);
+		} else {
+			intern->array = emalloc(sizeof(spl_fixedarray));
+			spl_fixedarray_init(intern->array, other->array->size TSRMLS_CC);
+			spl_fixedarray_copy(intern->array, other->array TSRMLS_CC);
+		}
 	}
 
 	while (parent) {
diff --git a/ext/spl/tests/bug62904.phpt b/ext/spl/tests/bug62904.phpt
new file mode 100644
index 0000000000..7e392da9ab
--- /dev/null
+++ b/ext/spl/tests/bug62904.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #62904 (Crash when cloning an object which inherits SplFixedArray)
+--FILE--
+<?php
+
+class foo extends SplFixedArray {       
+    public function __construct($size) {
+    }
+}
+
+$x = new foo(2);
+
+try {
+    $z = clone $x;
+} catch (Exception $e) {
+    var_dump($e->getMessage());
+}
+--EXPECTF--
+string(40) "The instance wasn't initialized properly"
-- 
2.40.0