- Fixed bug #53362 (Segmentation fault when extending SplFixedArray)

3 files changed, 28 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 322c7396eb..b1ced5ec41 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2010, PHP 5.3.4
+- Fixed bug #53362 (Segmentation fault when extending SplFixedArray). (Felipe)
 - Fixed bug #47168 (printf of floating point variable prints maximum of 40 
   decimal places). (Ilia)
 
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index d7dd244298..d2005d4de4 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -409,7 +409,11 @@ static void spl_fixedarray_object_write_dimension(zval *object, zval *offset, zv
 	intern = (spl_fixedarray_object *)zend_object_store_get_object(object TSRMLS_CC);
 
 	if (intern->fptr_offset_set) {
-		SEPARATE_ARG_IF_REF(offset);
+		if (!offset) {
+			ALLOC_INIT_ZVAL(offset);
+		} else {
+			SEPARATE_ARG_IF_REF(offset);
+		}
 		SEPARATE_ARG_IF_REF(value);
 		zend_call_method_with_2_params(&object, intern->std.ce, &intern->fptr_offset_set, "offsetSet", NULL, offset, value);
 		zval_ptr_dtor(&value);
diff --git a/ext/spl/tests/bug53362.phpt b/ext/spl/tests/bug53362.phpt
new file mode 100644
index 0000000000..70ba6e2036
--- /dev/null
+++ b/ext/spl/tests/bug53362.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #53362 (Segmentation fault when extending SplFixedArray)
+--FILE--
+<?php
+
+class obj extends SplFixedArray{
+	public function offsetSet($offset, $value) {
+		var_dump($offset);
+	}
+}
+
+$obj = new obj;
+
+$obj[]=2;
+$obj[]=2;
+$obj[]=2;
+
+?>
+--EXPECTF--
+NULL
+NULL
+NULL