Merge branch 'PHP-7.4'

* PHP-7.4:
  Fixed possible crash

2 files changed, 23 insertions, 1 deletions

diff --git a/ext/ffi/ffi.c b/ext/ffi/ffi.c
index 715628b5e5..059c48e1bc 100644
--- a/ext/ffi/ffi.c
+++ b/ext/ffi/ffi.c
@@ -1117,10 +1117,16 @@ static void zend_ffi_cdata_write_dim(zend_object *obj, zval *offset, zval *value
 {
 	zend_ffi_cdata *cdata = (zend_ffi_cdata*)obj;
 	zend_ffi_type  *type = ZEND_FFI_TYPE(cdata->type);
-	zend_long       dim = zval_get_long(offset);
+	zend_long       dim;
 	void           *ptr;
 	zend_ffi_flags  is_const;
 
+	if (offset == NULL) {
+		zend_throw_error(zend_ffi_exception_ce, "Cannot add next element to object of type FFI\\CData");
+		return;
+	}
+	
+	dim = zval_get_long(offset);
 	if (EXPECTED(type->kind == ZEND_FFI_TYPE_ARRAY)) {
 		if (UNEXPECTED((zend_ulong)(dim) >= (zend_ulong)type->array.length)
 		 && (UNEXPECTED(dim < 0) || UNEXPECTED(type->array.length != 0))) {
diff --git a/ext/ffi/tests/042.phpt b/ext/ffi/tests/042.phpt
new file mode 100644
index 0000000000..05450d5727
--- /dev/null
+++ b/ext/ffi/tests/042.phpt
@@ -0,0 +1,16 @@
+--TEST--
+FFI 042: Next array element
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--INI--
+ffi.enable=1
+--FILE--
+<?php
+$a = FFI::new("uint8_t[8]");
+$a[] = 0;
+?>
+--EXPECTF--
+Fatal error: Uncaught FFI\Exception: Cannot add next element to object of type FFI\CData in %sext/ffi/tests/042.php:3
+Stack trace:
+#0 {main}
+  thrown in %sext/ffi/tests/042.php on line 3
\ No newline at end of file