From f540e086e26280036f868c8bb5df458364f71f02 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 30 Jan 2013 20:23:39 +0100 Subject: [PATCH] Fixed bug #64106: Segfault on SplFixedArray[][x] = y when extended --- ext/spl/spl_array.c | 6 +++++- ext/spl/spl_fixedarray.c | 6 +++++- ext/spl/tests/bug64106.phpt | 15 +++++++++++++++ 3 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 ext/spl/tests/bug64106.phpt diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 479c14839d..40efc43915 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -381,7 +381,11 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC); if (intern->fptr_offset_get) { zval *rv; - SEPARATE_ARG_IF_REF(offset); + if (!offset) { + ALLOC_INIT_ZVAL(offset); + } else { + SEPARATE_ARG_IF_REF(offset); + } zend_call_method_with_1_params(&object, Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", &rv, offset); zval_ptr_dtor(&offset); if (rv) { diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c index 1d51e0fb62..c9aec753c8 100644 --- a/ext/spl/spl_fixedarray.c +++ b/ext/spl/spl_fixedarray.c @@ -378,7 +378,11 @@ static zval *spl_fixedarray_object_read_dimension(zval *object, zval *offset, in if (intern->fptr_offset_get) { zval *rv; - SEPARATE_ARG_IF_REF(offset); + if (!offset) { + ALLOC_INIT_ZVAL(offset); + } else { + SEPARATE_ARG_IF_REF(offset); + } zend_call_method_with_1_params(&object, intern->std.ce, &intern->fptr_offset_get, "offsetGet", &rv, offset); zval_ptr_dtor(&offset); if (rv) { diff --git a/ext/spl/tests/bug64106.phpt b/ext/spl/tests/bug64106.phpt new file mode 100644 index 0000000000..855caef213 --- /dev/null +++ b/ext/spl/tests/bug64106.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #64106: Segfault on SplFixedArray[][x] = y when extended +--FILE-- + +--EXPECTF-- +Notice: Indirect modification of overloaded element of MyFixedArray has no effect in %s on line %d -- 2.40.0