1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
--- /dev/null
+++ b/ext/spl/tests/bug53362.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #53362 (Segmentation fault when extending SplFixedArray)
+--FILE--
+<?php
+
+class obj extends SplFixedArray{
+ public function offsetSet($offset, $value) {
+ var_dump($offset);
+ }
+}
+
+$obj = new obj;
+
+$obj[]=2;
+$obj[]=2;
+$obj[]=2;
+
+?>
+--EXPECTF--
+NULL
+NULL
+NULL
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -409,7 +409,11 @@ static void spl_fixedarray_object_write_
intern = (spl_fixedarray_object *)zend_object_store_get_object(object TSRMLS_CC);
if (intern->fptr_offset_set) {
- SEPARATE_ARG_IF_REF(offset);
+ if (!offset) {
+ ALLOC_INIT_ZVAL(offset);
+ } else {
+ SEPARATE_ARG_IF_REF(offset);
+ }
SEPARATE_ARG_IF_REF(value);
zend_call_method_with_2_params(&object, intern->std.ce, &intern->fptr_offset_set, "offsetSet", NULL, offset, value);
zval_ptr_dtor(&value);
|
