From e2ba5c7987141fc11706207b0ce24ea2eb6dea87 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 10 Jun 2014 23:17:30 -0700 Subject: [PATCH] Fix bug #66127 (Segmentation fault with ArrayObject unset) --- ext/spl/spl_array.c | 2 +- ext/spl/tests/bug66127.phpt | 25 +++++++++++++++++++++++++ ext/spl/tests/iterator_035.phpt | 2 ++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/bug66127.phpt diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 77453d66734..f2f3f1c61b5 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -408,7 +408,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval /* When in a write context, * ZE has to be fooled into thinking this is in a reference set * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */ - if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) { + if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) { if (Z_REFCOUNT_PP(ret) > 1) { zval *newval; diff --git a/ext/spl/tests/bug66127.phpt b/ext/spl/tests/bug66127.phpt new file mode 100644 index 00000000000..b5d1dcac4b2 --- /dev/null +++ b/ext/spl/tests/bug66127.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #66127 (Segmentation fault with ArrayObject unset) +--INI-- +error_reporting = E_ALL & ~E_NOTICE +--FILE-- + +--EXPECT-- +Worked! diff --git a/ext/spl/tests/iterator_035.phpt b/ext/spl/tests/iterator_035.phpt index 9ce098b69d7..fc0271e3811 100644 --- a/ext/spl/tests/iterator_035.phpt +++ b/ext/spl/tests/iterator_035.phpt @@ -12,4 +12,6 @@ $a[] = &$tmp; echo "Done\n"; ?> --EXPECTF-- +Notice: Indirect modification of overloaded element of ArrayIterator has no effect in %s on line %d + Fatal error: Cannot assign by reference to overloaded object in %s on line %d