Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.

3 files changed, 17 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index 1ea9e3055c..5dcb3310bc 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,10 @@ PHP                                                                        NEWS
   . Fixed bug #69757 (Segmentation fault on nextRowset).
     (miracle at rpz dot name)
 
+- SPL:
+  . Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.
+    (Reeze Xia)
+
 29 Oct 2015, PHP 5.6.15
 
 - Core:
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 6ebbb7c068..f977aa3244 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -325,13 +325,13 @@ string_offest:
 		if (zend_symtable_find(ht, key, len, (void **) &retval) == FAILURE) {
 			switch (type) {
 				case BP_VAR_R:
-					zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset));
+					zend_error(E_NOTICE, "Undefined index: %s", key);
 				case BP_VAR_UNSET:
 				case BP_VAR_IS:
 					retval = &EG(uninitialized_zval_ptr);
 					break;
 				case BP_VAR_RW:
-					zend_error(E_NOTICE,"Undefined index: %s", Z_STRVAL_P(offset));
+					zend_error(E_NOTICE,"Undefined index: %s", key);
 				case BP_VAR_W: {
 				    zval *value;
 				    ALLOC_INIT_ZVAL(value);
diff --git a/ext/spl/tests/bug70852.phpt b/ext/spl/tests/bug70852.phpt
new file mode 100644
index 0000000000..da7c00bb66
--- /dev/null
+++ b/ext/spl/tests/bug70852.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #70852 Segfault getting NULL offset of an ArrayObject
+--FILE--
+<?php
+$y = new ArrayObject();
+echo $y[NULL];
+?>
+===DONE===
+--EXPECTF--
+Notice: Undefined index:  in %s on line %d
+===DONE===