Fixed bug #64106: Segfault on SplFixedArray[][x] = y when extended

ext/spl/spl_array.c

@@ -381,7 +381,11 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval
 		spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
 		if (intern->fptr_offset_get) {
 			zval *rv;
-			SEPARATE_ARG_IF_REF(offset);
+			if (!offset) {
+				ALLOC_INIT_ZVAL(offset);
+			} else {
+				SEPARATE_ARG_IF_REF(offset);
+			}
 			zend_call_method_with_1_params(&object, Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", &rv, offset);	
 			zval_ptr_dtor(&offset);
 			if (rv) {

ext/spl/spl_fixedarray.c

@@ -378,7 +378,11 @@ static zval *spl_fixedarray_object_read_dimension(zval *object, zval *offset, in
 
 	if (intern->fptr_offset_get) {
 		zval *rv;
-		SEPARATE_ARG_IF_REF(offset);
+		if (!offset) {
+			ALLOC_INIT_ZVAL(offset);
+		} else {
+			SEPARATE_ARG_IF_REF(offset);
+		}
 		zend_call_method_with_1_params(&object, intern->std.ce, &intern->fptr_offset_get, "offsetGet", &rv, offset);
 		zval_ptr_dtor(&offset);
 		if (rv) {

ext/spl/tests/bug64106.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #64106: Segfault on SplFixedArray[][x] = y when extended
+--FILE--
+<?php
+
+class MyFixedArray extends SplFixedArray {
+    public function offsetGet($offset) {}
+}
+
+$array = new MyFixedArray(10);
+$array[][1] = 10;
+
+?>
+--EXPECTF--
+Notice: Indirect modification of overloaded element of MyFixedArray has no effect in %s on line %d