From 51218b3b9dc612b2db7511f93296f975b6c2aa9d Mon Sep 17 00:00:00 2001
From: Reeze Xia <reeze@php.net>
Date: Thu, 5 Nov 2015 13:46:03 +0800
Subject: [PATCH 1/2] Fixed bug #70852 Segfault getting NULL offset of an
 ArrayObject.

---
 NEWS                        |  4 ++++
 ext/spl/spl_array.c         |  4 ++--
 ext/spl/tests/bug70852.phpt | 11 +++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 ext/spl/tests/bug70852.phpt

diff --git a/NEWS b/NEWS
index 1ea9e3055cb5a..5dcb3310bc7fa 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,10 @@ PHP                                                                        NEWS
   . Fixed bug #69757 (Segmentation fault on nextRowset).
     (miracle at rpz dot name)
 
+- SPL:
+  . Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.
+    (Reeze Xia)
+
 29 Oct 2015, PHP 5.6.15
 
 - Core:
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 6ebbb7c0685a2..f977aa3244402 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -325,13 +325,13 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
 		if (zend_symtable_find(ht, key, len, (void **) &retval) == FAILURE) {
 			switch (type) {
 				case BP_VAR_R:
-					zend_error(E_NOTICE, "Undefined index: %s", Z_STRVAL_P(offset));
+					zend_error(E_NOTICE, "Undefined index: %s", key);
 				case BP_VAR_UNSET:
 				case BP_VAR_IS:
 					retval = &EG(uninitialized_zval_ptr);
 					break;
 				case BP_VAR_RW:
-					zend_error(E_NOTICE,"Undefined index: %s", Z_STRVAL_P(offset));
+					zend_error(E_NOTICE,"Undefined index: %s", key);
 				case BP_VAR_W: {
 				    zval *value;
 				    ALLOC_INIT_ZVAL(value);
diff --git a/ext/spl/tests/bug70852.phpt b/ext/spl/tests/bug70852.phpt
new file mode 100644
index 0000000000000..da7c00bb66e0f
--- /dev/null
+++ b/ext/spl/tests/bug70852.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #70852 Segfault getting NULL offset of an ArrayObject
+--FILE--
+<?php
+$y = new ArrayObject();
+echo $y[NULL];
+?>
+===DONE===
+--EXPECTF--
+Notice: Undefined index:  in %s on line %d
+===DONE===

From 1c0622a472cb88f780733456f5bb0eb03a40a1cb Mon Sep 17 00:00:00 2001
From: Reeze Xia <reeze@php.net>
Date: Thu, 5 Nov 2015 14:09:24 +0800
Subject: [PATCH 2/2] Make test for bug #70852 to cover all cases

---
 ext/spl/tests/bug70852.phpt | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ext/spl/tests/bug70852.phpt b/ext/spl/tests/bug70852.phpt
index da7c00bb66e0f..2b23ce4e0943d 100644
--- a/ext/spl/tests/bug70852.phpt
+++ b/ext/spl/tests/bug70852.phpt
@@ -3,9 +3,15 @@ Bug #70852 Segfault getting NULL offset of an ArrayObject
 --FILE--
 <?php
 $y = new ArrayObject();
-echo $y[NULL];
+
+var_dump($y[NULL]);
+var_dump($y[NULL]++);
 ?>
 ===DONE===
 --EXPECTF--
 Notice: Undefined index:  in %s on line %d
+NULL
+
+Notice: Undefined index:  in %s on line %d
+NULL
 ===DONE===