diff options
author | Stanislav Malyshev <stas@php.net> | 2014-06-10 23:17:30 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-07-18 16:28:16 -0700 |
commit | e2ba5c7987141fc11706207b0ce24ea2eb6dea87 (patch) | |
tree | 248493cd30fc4f79ae77ddb057b88781d9ca5c87 | |
parent | 8e9777a1f19f079c68df92c8c4ee163e6087a1d1 (diff) | |
download | php-git-e2ba5c7987141fc11706207b0ce24ea2eb6dea87.tar.gz |
Fix bug #66127 (Segmentation fault with ArrayObject unset)
-rw-r--r-- | ext/spl/spl_array.c | 2 | ||||
-rw-r--r-- | ext/spl/tests/bug66127.phpt | 25 | ||||
-rw-r--r-- | ext/spl/tests/iterator_035.phpt | 2 |
3 files changed, 28 insertions, 1 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 77453d6673..f2f3f1c61b 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -408,7 +408,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval /* When in a write context, * ZE has to be fooled into thinking this is in a reference set * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */ - if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) { + if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) { if (Z_REFCOUNT_PP(ret) > 1) { zval *newval; diff --git a/ext/spl/tests/bug66127.phpt b/ext/spl/tests/bug66127.phpt new file mode 100644 index 0000000000..b5d1dcac4b --- /dev/null +++ b/ext/spl/tests/bug66127.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #66127 (Segmentation fault with ArrayObject unset) +--INI-- +error_reporting = E_ALL & ~E_NOTICE +--FILE-- +<?php +function crash() +{ + set_error_handler(function () {}); + $var = 1; + trigger_error('error'); + $var2 = $var; + $var3 = $var; + trigger_error('error'); +} + +$items = new ArrayObject(); + +unset($items[0]); +unset($items[0][0]); +crash(); +echo "Worked!\n"; +?> +--EXPECT-- +Worked! diff --git a/ext/spl/tests/iterator_035.phpt b/ext/spl/tests/iterator_035.phpt index 9ce098b69d..fc0271e381 100644 --- a/ext/spl/tests/iterator_035.phpt +++ b/ext/spl/tests/iterator_035.phpt @@ -12,4 +12,6 @@ $a[] = &$tmp; echo "Done\n"; ?> --EXPECTF-- +Notice: Indirect modification of overloaded element of ArrayIterator has no effect in %s on line %d + Fatal error: Cannot assign by reference to overloaded object in %s on line %d |