Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)

Author: laruence

NEWS

@@ -39,6 +39,8 @@ PHP                                                                        NEWS
   . Fixed bug (segfault due to retval is not initialized). (Laruence)
 
 - SPL:
+  . Fixed bug #62904 (Crash when cloning an object which inherits SplFixedArray)
+    (Laruence)
   . Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance
     gives Segmentation fault). (Laruence, Gustavo)
 

ext/spl/spl_fixedarray.c

@@ -223,10 +223,14 @@ static zend_object_value spl_fixedarray_object_new_ex(zend_class_entry *class_ty
 	if (orig && clone_orig) {
 		spl_fixedarray_object *other = (spl_fixedarray_object*)zend_object_store_get_object(orig TSRMLS_CC);
 		intern->ce_get_iterator = other->ce_get_iterator;
-
-		intern->array = emalloc(sizeof(spl_fixedarray));
-		spl_fixedarray_init(intern->array, other->array->size TSRMLS_CC);
-		spl_fixedarray_copy(intern->array, other->array TSRMLS_CC);
+		if (!other->array) {
+			/* leave a empty object, will be dtor later by CLONE handler */
+			zend_throw_exception(spl_ce_RuntimeException, "The instance wasn't initialized properly", 0 TSRMLS_CC);
+		} else {
+			intern->array = emalloc(sizeof(spl_fixedarray));
+			spl_fixedarray_init(intern->array, other->array->size TSRMLS_CC);
+			spl_fixedarray_copy(intern->array, other->array TSRMLS_CC);
+		}
 	}
 
 	while (parent) {

ext/spl/tests/bug62904.phpt

@@ -0,0 +1,19 @@
+--TEST--
+Bug #62904 (Crash when cloning an object which inherits SplFixedArray)
+--FILE--
+<?php
+
+class foo extends SplFixedArray {       
+    public function __construct($size) {
+    }
+}
+
+$x = new foo(2);
+
+try {
+    $z = clone $x;
+} catch (Exception $e) {
+    var_dump($e->getMessage());
+}
+--EXPECTF--
+string(40) "The instance wasn't initialized properly"