Fix bug #66127 (Segmentation fault with ArrayObject unset)

3 files changed, 28 insertions, 1 deletions

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 77453d6673..f2f3f1c61b 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -408,7 +408,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval
 	/* When in a write context,
 	 * ZE has to be fooled into thinking this is in a reference set
 	 * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */
-	if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) {
+	if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) {
 		if (Z_REFCOUNT_PP(ret) > 1) {
 			zval *newval;
 
diff --git a/ext/spl/tests/bug66127.phpt b/ext/spl/tests/bug66127.phpt
new file mode 100644
index 0000000000..b5d1dcac4b
--- /dev/null
+++ b/ext/spl/tests/bug66127.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #66127 (Segmentation fault with ArrayObject unset)
+--INI--
+error_reporting = E_ALL & ~E_NOTICE
+--FILE--
+<?php
+function crash()
+{
+    set_error_handler(function () {});
+    $var = 1;
+    trigger_error('error');
+    $var2 = $var;
+    $var3 = $var;
+    trigger_error('error');
+}
+
+$items = new ArrayObject();
+
+unset($items[0]);
+unset($items[0][0]);
+crash();
+echo "Worked!\n";
+?>
+--EXPECT--
+Worked!
diff --git a/ext/spl/tests/iterator_035.phpt b/ext/spl/tests/iterator_035.phpt
index 9ce098b69d..fc0271e381 100644
--- a/ext/spl/tests/iterator_035.phpt
+++ b/ext/spl/tests/iterator_035.phpt
@@ -12,4 +12,6 @@ $a[] = &$tmp;
 echo "Done\n";
 ?>
 --EXPECTF--	
+Notice: Indirect modification of overloaded element of ArrayIterator has no effect in %s on line %d
+
 Fatal error: Cannot assign by reference to overloaded object in %s on line %d