diff options
author | Nikita Popov <nikic@php.net> | 2013-01-30 20:23:39 +0100 |
---|---|---|
committer | Nikita Popov <nikic@php.net> | 2013-01-30 20:23:39 +0100 |
commit | 321f4f18e52bfabe19fb9217dff0bf661d48e5d3 (patch) | |
tree | 82c310b816b22c6969c5605adf2bf21cbdd18639 | |
parent | ec53b60072799704a0d94cdd935bdf54bd5e5344 (diff) | |
download | php-git-321f4f18e52bfabe19fb9217dff0bf661d48e5d3.tar.gz |
Fixed bug #64106: Segfault on SplFixedArray[][x] = y when extended
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/spl/spl_array.c | 6 | ||||
-rw-r--r-- | ext/spl/spl_fixedarray.c | 6 | ||||
-rw-r--r-- | ext/spl/tests/bug64106.phpt | 15 |
4 files changed, 28 insertions, 2 deletions
@@ -17,6 +17,9 @@ PHP NEWS - FPM: . Fixed bug #63999 (php with fpm fails to build on Solaris 10 or 11). (Adam) +- SPL: + . Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended). (Nikita Popov) + 17 Jan 2013, PHP 5.3.21 - Zend Engine: diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 7c2e148f68..7d6f31427d 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -387,7 +387,11 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC); if (intern->fptr_offset_get) { zval *rv; - SEPARATE_ARG_IF_REF(offset); + if (!offset) { + ALLOC_INIT_ZVAL(offset); + } else { + SEPARATE_ARG_IF_REF(offset); + } zend_call_method_with_1_params(&object, Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", &rv, offset); zval_ptr_dtor(&offset); if (rv) { diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c index 559cac2f63..1d18afd04a 100644 --- a/ext/spl/spl_fixedarray.c +++ b/ext/spl/spl_fixedarray.c @@ -361,7 +361,11 @@ static zval *spl_fixedarray_object_read_dimension(zval *object, zval *offset, in if (intern->fptr_offset_get) { zval *rv; - SEPARATE_ARG_IF_REF(offset); + if (!offset) { + ALLOC_INIT_ZVAL(offset); + } else { + SEPARATE_ARG_IF_REF(offset); + } zend_call_method_with_1_params(&object, intern->std.ce, &intern->fptr_offset_get, "offsetGet", &rv, offset); zval_ptr_dtor(&offset); if (rv) { diff --git a/ext/spl/tests/bug64106.phpt b/ext/spl/tests/bug64106.phpt new file mode 100644 index 0000000000..855caef213 --- /dev/null +++ b/ext/spl/tests/bug64106.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #64106: Segfault on SplFixedArray[][x] = y when extended +--FILE-- +<?php + +class MyFixedArray extends SplFixedArray { + public function offsetGet($offset) {} +} + +$array = new MyFixedArray(10); +$array[][1] = 10; + +?> +--EXPECTF-- +Notice: Indirect modification of overloaded element of MyFixedArray has no effect in %s on line %d |