diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-06-10 23:17:30 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-06-10 23:17:30 -0700 |
| commit | 317bcb96d01a1dade28f2875bdd9bbbf73a40160 (patch) | |
| tree | d8a849494a4b4595283588d605cf182c145ee7df | |
| parent | 979eed5c6bb437d53d27745925663eb8c31640a5 (diff) | |
| download | php-git-317bcb96d01a1dade28f2875bdd9bbbf73a40160.tar.gz | |
Fix bug #66127 (Segmentation fault with ArrayObject unset)
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/spl/spl_array.c | 2 | ||||
| -rw-r--r-- | ext/spl/tests/bug66127.phpt | 25 | ||||
| -rw-r--r-- | ext/spl/tests/iterator_035.phpt | 2 |
4 files changed, 29 insertions, 1 deletions
@@ -43,6 +43,7 @@ PHP NEWS . Implemented FR #49898 (Add SoapClient::__getCookies()). (Boro Sitnikovski) - SPL: + . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas) . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence) . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam) diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 34f3a3818d..758947a8cc 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -402,7 +402,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval /* When in a write context, * ZE has to be fooled into thinking this is in a reference set * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */ - if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) { + if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) { if (Z_REFCOUNT_PP(ret) > 1) { zval *newval; diff --git a/ext/spl/tests/bug66127.phpt b/ext/spl/tests/bug66127.phpt new file mode 100644 index 0000000000..b5d1dcac4b --- /dev/null +++ b/ext/spl/tests/bug66127.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #66127 (Segmentation fault with ArrayObject unset) +--INI-- +error_reporting = E_ALL & ~E_NOTICE +--FILE-- +<?php +function crash() +{ + set_error_handler(function () {}); + $var = 1; + trigger_error('error'); + $var2 = $var; + $var3 = $var; + trigger_error('error'); +} + +$items = new ArrayObject(); + +unset($items[0]); +unset($items[0][0]); +crash(); +echo "Worked!\n"; +?> +--EXPECT-- +Worked! diff --git a/ext/spl/tests/iterator_035.phpt b/ext/spl/tests/iterator_035.phpt index 9ce098b69d..fc0271e381 100644 --- a/ext/spl/tests/iterator_035.phpt +++ b/ext/spl/tests/iterator_035.phpt @@ -12,4 +12,6 @@ $a[] = &$tmp; echo "Done\n"; ?> --EXPECTF-- +Notice: Indirect modification of overloaded element of ArrayIterator has no effect in %s on line %d + Fatal error: Cannot assign by reference to overloaded object in %s on line %d |