Index: ext/spl/spl_array.c
===================================================================
RCS file: /repository/php-src/ext/spl/spl_array.c,v
retrieving revision 1.150
diff -u -p -r1.150 spl_array.c
--- ext/spl/spl_array.c	29 Sep 2008 22:42:48 -0000	1.150
+++ ext/spl/spl_array.c	5 Oct 2008 14:18:11 -0000
@@ -282,6 +282,7 @@ static zval **spl_array_get_dimension_pt
 	spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
 	zval **retval;
 	long index;
+	HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
 
 /*  We cannot get the pointer pointer so we don't allow it here for now
 	if (check_inherited && intern->fptr_offset_get) {
@@ -295,9 +296,17 @@ static zval **spl_array_get_dimension_pt
 	switch(Z_TYPE_P(offset)) {
 	case IS_STRING:
 	case IS_UNICODE:
-		if (zend_u_symtable_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), Z_TYPE_P(offset), Z_UNIVAL_P(offset), Z_UNILEN_P(offset)+1, (void **) &retval) == FAILURE) {
-			zend_error(E_NOTICE, "Undefined index:  %R", Z_TYPE_P(offset), Z_STRVAL_P(offset));
-			return &EG(uninitialized_zval_ptr);
+		if (zend_u_symtable_find(ht, Z_TYPE_P(offset), Z_UNIVAL_P(offset), Z_UNILEN_P(offset)+1, (void **) &retval) == FAILURE) {
+			if (type == BP_VAR_W || type == BP_VAR_RW) {
+				zval *value;
+				ALLOC_INIT_ZVAL(value);
+				zend_u_symtable_update(ht, Z_TYPE_P(offset), Z_UNIVAL_P(offset), Z_UNILEN_P(offset)+1, (void**)&value, sizeof(void*), NULL);
+				zend_u_symtable_find(ht, Z_TYPE_P(offset), Z_UNIVAL_P(offset), Z_UNILEN_P(offset)+1, (void **) &retval);
+				return retval;
+			} else {
+				zend_error(E_NOTICE, "Undefined index:  %R", Z_TYPE_P(offset), Z_STRVAL_P(offset));
+				return &EG(uninitialized_zval_ptr);
+			}
 		} else {
 			return retval;
 		}
@@ -310,9 +319,17 @@ static zval **spl_array_get_dimension_pt
 		} else {
 			index = Z_LVAL_P(offset);
 		}
-		if (zend_hash_index_find(spl_array_get_hash_table(intern, 0 TSRMLS_CC), index, (void **) &retval) == FAILURE) {
-			zend_error(E_NOTICE, "Undefined offset:  %ld", Z_LVAL_P(offset));
-			return &EG(uninitialized_zval_ptr);
+		if (zend_hash_index_find(ht, index, (void **) &retval) == FAILURE) {
+			if (type == BP_VAR_W || type == BP_VAR_RW) {
+				zval *value;
+				ALLOC_INIT_ZVAL(value);
+				zend_hash_index_update(ht, index, (void**)&value, sizeof(void*), NULL);
+				zend_hash_index_find(ht, index, (void **) &retval);
+				return retval;
+			} else {
+				zend_error(E_NOTICE, "Undefined offset:  %ld", Z_LVAL_P(offset));
+				return &EG(uninitialized_zval_ptr);
+			}
 		} else {
 			return retval;
 		}
Index: ext/spl/tests/array_026.phpt
===================================================================
RCS file: ext/spl/tests/array_026.phpt
diff -N ext/spl/tests/array_026.phpt
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ ext/spl/tests/array_026.phpt	5 Oct 2008 14:18:11 -0000
@@ -0,0 +1,24 @@
+--TEST--
+SPL: ArrayObject indirect offsetGet overwriting EG(uninitialized_zvar_ptr)
+--FILE--
+<?php
+$test = new ArrayObject();
+$test['d1']['d2'] = 'hello';
+$test['d1']['d3'] = 'world';
+var_dump($test, $test3['mmmmm']);
+?>
+--EXPECTF--
+Notice: Undefined variable: test3 in %s%earray_026.php on line 5
+object(ArrayObject)#%d (1) {
+  [u"storage":u"ArrayObject":private]=>
+  array(1) {
+    [u"d1"]=>
+    array(2) {
+      [u"d2"]=>
+      unicode(5) "hello"
+      [u"d3"]=>
+      unicode(5) "world"
+    }
+  }
+}
+NULL