Fixed bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables)

The get_zval_ptr_ptr of spl_array handler should act as same as the vm's

Author: laruence

NEWS

@@ -45,6 +45,8 @@ PHP                                                                        NEWS
   . Fixed bug (segfault due to retval is not initialized). (Laruence)
 
 - SPL:
+  . Bug #62987 (Assigning to ArrayObject[null][something] overrides all 
+    undefined variables). (Laruence)
   . Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)
     (Laruence)
   . Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance

ext/spl/spl_array.c

@@ -312,38 +312,41 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
 	long index;
 	HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
 
-/*  We cannot get the pointer pointer so we don't allow it here for now
-	if (check_inherited && intern->fptr_offset_get) {
-		return zend_call_method_with_1_params(&object, Z_OBJCE_P(object), &intern->fptr_offset_get, "offsetGet", NULL, offset);
-	}*/
-
 	if (!offset) {
 		return &EG(uninitialized_zval_ptr);
 	}
 
 	if ((type == BP_VAR_W || type == BP_VAR_RW) && (ht->nApplyCount > 0)) {
 		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
-		return &EG(uninitialized_zval_ptr);;
+		return &EG(error_zval_ptr);;
 	}
 
 	switch(Z_TYPE_P(offset)) {
+	case IS_NULL:
+		Z_STRVAL_P(offset) = "";
+		Z_STRLEN_P(offset) = 0;
 	case IS_STRING:
 		if (zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval) == FAILURE) {
-			if (type == BP_VAR_W || type == BP_VAR_RW) {
-				zval *value;
-				ALLOC_INIT_ZVAL(value);
-				zend_symtable_update(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
-				zend_symtable_find(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void **) &retval);
-				return retval;
-			} else {
-				zend_error(E_NOTICE, "Undefined index:  %s", Z_STRVAL_P(offset));
-				return &EG(uninitialized_zval_ptr);
+			switch (type) {
+				case BP_VAR_R:
+					zend_error(E_NOTICE, "Undefined index:  %s", Z_STRVAL_P(offset));
+				case BP_VAR_UNSET:
+				case BP_VAR_IS:
+					retval = &EG(uninitialized_zval_ptr);
+					break;
+				case BP_VAR_RW:
+					zend_error(E_NOTICE,"Undefined index:  %s", Z_STRVAL_P(offset));
+				case BP_VAR_W: {
+				    zval *value;
+				    ALLOC_INIT_ZVAL(value);
+				    zend_symtable_update(ht, Z_STRVAL_P(offset), Z_STRLEN_P(offset)+1, (void**)&value, sizeof(void*), (void **)&retval);
+				}
 			}
-		} else {
-			return retval;
 		}
-	case IS_DOUBLE:
+		return retval;
 	case IS_RESOURCE:
+		zend_error(E_STRICT, "Resource ID#%ld used as offset, casting to integer (%ld)", Z_LVAL_P(offset), Z_LVAL_P(offset));
+	case IS_DOUBLE:
 	case IS_BOOL: 
 	case IS_LONG: 
 		if (offset->type == IS_DOUBLE) {
@@ -352,23 +355,27 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
 			index = Z_LVAL_P(offset);
 		}
 		if (zend_hash_index_find(ht, index, (void **) &retval) == FAILURE) {
-			if (type == BP_VAR_W || type == BP_VAR_RW) {
-				zval *value;
-				ALLOC_INIT_ZVAL(value);
-				zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), NULL);
-				zend_hash_index_find(ht, index, (void **) &retval);
-				return retval;
-			} else {
-				zend_error(E_NOTICE, "Undefined offset:  %ld", index);
-				return &EG(uninitialized_zval_ptr);
+			switch (type) {
+				case BP_VAR_R:
+					zend_error(E_NOTICE, "Undefined offset:  %ld", index);
+				case BP_VAR_UNSET:
+				case BP_VAR_IS:
+					retval = &EG(uninitialized_zval_ptr);
+					break;
+				case BP_VAR_RW:
+					zend_error(E_NOTICE, "Undefined offset:  %ld", index);
+				case BP_VAR_W: {
+				    zval *value;
+				    ALLOC_INIT_ZVAL(value);
+					zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), (void **)&retval);
+			   }
 			}
-		} else {
-			return retval;
 		}
-		break;
+		return retval;
 	default:
 		zend_error(E_WARNING, "Illegal offset type");
-		return &EG(uninitialized_zval_ptr);
+		return (type == BP_VAR_W || type == BP_VAR_RW) ?
+			&EG(error_zval_ptr) : &EG(uninitialized_zval_ptr);
 	}
 } /* }}} */
 
@@ -664,7 +671,6 @@ SPL_METHOD(Array, offsetSet)
 	spl_array_write_dimension_ex(0, getThis(), index, value TSRMLS_CC);
 } /* }}} */
 
-
 void spl_array_iterator_append(zval *object, zval *append_value TSRMLS_DC) /* {{{ */
 {
 	spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);

ext/spl/tests/bug62978.phpt

@@ -0,0 +1,50 @@
+--TEST--
+Bug #62987 (Assigning to ArrayObject[null][something] overrides all undefined variables)
+--FILE--
+<?php
+$a = new ArrayObject();
+
+$b = array();
+
+$a[null]['hurr'] = 'durr';
+
+var_dump($a['epic_magic']);
+var_dump($b['epic_magic']);
+var_dump($c['epic_magic']); // Undefined var!!
+
+$d = array();
+var_dump($a['epic_magic']); // more magic!
+var_dump($d['epic_magic']);
+
+$e = 'srsly?';
+var_dump($a['epic_magic']); // srsly.
+var_dump(isset($a['epic_magic']));
+
+$fp = fopen(__FILE__, 'r');
+var_dump($a[$fp]);
+
+fclose($fp);
+--EXPECTF--
+Notice: Undefined index:  epic_magic in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined index: epic_magic in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined variable: c in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined index:  epic_magic in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined index: epic_magic in %sbug62978.php on line %d
+NULL
+
+Notice: Undefined index:  epic_magic in %sbug62978.php on line %d
+NULL
+bool(false)
+
+Strict Standards: Resource ID#%d used as offset, casting to integer (%d) in %sbug62978.php on line %d
+
+Notice: Undefined offset:  %d in %sbug62978.php on line %d
+NULL