Fixed bug #64106: Segfault on SplFixedArray[][x] = y when extended

nikic · nikic · commit 321f4f18e52b · 2013-01-30T20:23:39.000+01:00
diff --git a/NEWS b/NEWS
@@ -17,6 +17,9 @@ PHP                                                                        NEWS
 - FPM:
   . Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11). (Adam)
 
+- SPL:
+  . Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended). (Nikita Popov)
+
 17 Jan 2013, PHP 5.3.21
 
 - Zend Engine:
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
@@ -387,7 +387,11 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval
 		spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
 		if (intern->fptr_offset_get) {
 			zval *rv;
-			SEPARATE_ARG_IF_REF(offset);
+			if (!offset) {
+				ALLOC_INIT_ZVAL(offset);
+			} else {
+				SEPARATE_ARG_IF_REF(offset);
+			}
 			zend_call_method_with_1_params(&object, Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", &rv, offset);	
 			zval_ptr_dtor(&offset);
 			if (rv) {
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
@@ -361,7 +361,11 @@ static zval *spl_fixedarray_object_read_dimension(zval *object, zval *offset, in
 
 	if (intern->fptr_offset_get) {
 		zval *rv;
-		SEPARATE_ARG_IF_REF(offset);
+		if (!offset) {
+			ALLOC_INIT_ZVAL(offset);
+		} else {
+			SEPARATE_ARG_IF_REF(offset);
+		}
 		zend_call_method_with_1_params(&object, intern->std.ce, &intern->fptr_offset_get, "offsetGet", &rv, offset);
 		zval_ptr_dtor(&offset);
 		if (rv) {
diff --git a/ext/spl/tests/bug64106.phpt b/ext/spl/tests/bug64106.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #64106: Segfault on SplFixedArray[][x] = y when extended
+--FILE--
+<?php
+
+class MyFixedArray extends SplFixedArray {
+    public function offsetGet($offset) {}
+}
+
+$array = new MyFixedArray(10);
+$array[][1] = 10;
+
+?>
+--EXPECTF--
+Notice: Indirect modification of overloaded element of MyFixedArray has no effect in %s on line %d
