Commit:    321f4f18e52bfabe19fb9217dff0bf661d48e5d3
Author:    Nikita Popov <ni...@php.net>         Wed, 30 Jan 2013 20:23:39 +0100
Parents:   ec53b60072799704a0d94cdd935bdf54bd5e5344
Branches:  PHP-5.3 PHP-5.4 master

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=321f4f18e52bfabe19fb9217dff0bf661d48e5d3

Log:
Fixed bug #64106: Segfault on SplFixedArray[][x] = y when extended

Bugs:
https://bugs.php.net/64106

Changed paths:
  M  NEWS
  M  ext/spl/spl_array.c
  M  ext/spl/spl_fixedarray.c
  A  ext/spl/tests/bug64106.phpt


Diff:
diff --git a/NEWS b/NEWS
index 24a1ba8..c230d22 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,9 @@ PHP                                                           
             NEWS
 - FPM:
   . Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11). (Adam)
 
+- SPL:
+  . Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended). 
(Nikita Popov)
+
 17 Jan 2013, PHP 5.3.21
 
 - Zend Engine:
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 7c2e148..7d6f314 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -387,7 +387,11 @@ static zval *spl_array_read_dimension_ex(int 
check_inherited, zval *object, zval
                spl_array_object *intern = 
(spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
                if (intern->fptr_offset_get) {
                        zval *rv;
-                       SEPARATE_ARG_IF_REF(offset);
+                       if (!offset) {
+                               ALLOC_INIT_ZVAL(offset);
+                       } else {
+                               SEPARATE_ARG_IF_REF(offset);
+                       }
                        zend_call_method_with_1_params(&object, 
Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", &rv, offset); 
                        zval_ptr_dtor(&offset);
                        if (rv) {
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 559cac2..1d18afd 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -361,7 +361,11 @@ static zval *spl_fixedarray_object_read_dimension(zval 
*object, zval *offset, in
 
        if (intern->fptr_offset_get) {
                zval *rv;
-               SEPARATE_ARG_IF_REF(offset);
+               if (!offset) {
+                       ALLOC_INIT_ZVAL(offset);
+               } else {
+                       SEPARATE_ARG_IF_REF(offset);
+               }
                zend_call_method_with_1_params(&object, intern->std.ce, 
&intern->fptr_offset_get, "offsetGet", &rv, offset);
                zval_ptr_dtor(&offset);
                if (rv) {
diff --git a/ext/spl/tests/bug64106.phpt b/ext/spl/tests/bug64106.phpt
new file mode 100644
index 0000000..855caef
--- /dev/null
+++ b/ext/spl/tests/bug64106.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #64106: Segfault on SplFixedArray[][x] = y when extended
+--FILE--
+<?php
+
+class MyFixedArray extends SplFixedArray {
+    public function offsetGet($offset) {}
+}
+
+$array = new MyFixedArray(10);
+$array[][1] = 10;
+
+?>
+--EXPECTF--
+Notice: Indirect modification of overloaded element of MyFixedArray has no 
effect in %s on line %d


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to