MFB: Fixed bug #44046 (crash inside array_slice() function with an invalid

by-ref offset).

diff --git a/ext/standard/array.c b/ext/standard/array.c
index bf472e10a2b4af6d836ff71503871a1c8f947337..9b8b9833fb7a2329702462f610c193fdee54a3dc 100644 (file)
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2296,17 +2296,16 @@ PHP_FUNCTION(array_slice)
        zval     *input,                /* Input array */
                        **entry;                /* An array entry */
        long     offset,                /* Offset to get elements from */
-                        length = 0;
+                        length = NULL;
        zend_bool preserve_keys = 0; /* Whether to preserve keys while copying to the new array or not */
        int              num_in,                /* Number of elements in the input array */
                         pos;                   /* Current position in the array */
-       zval    *z_length;      /* How many elements to get */
        zstr string_key;
        uint string_key_len;
        ulong num_key;
        HashPosition hpos;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "al|z/b", &input, &offset, &z_length, &preserve_keys) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "al|lb", &input, &offset, &length, &preserve_keys) == FAILURE) {
                return;
        }
 
@@ -2314,10 +2313,7 @@ PHP_FUNCTION(array_slice)
        num_in = zend_hash_num_elements(Z_ARRVAL_P(input));
 
        /* We want all entries from offset to the end if length is not passed or length is null */
-       if (ZEND_NUM_ARGS() >= 3 && Z_TYPE_P(z_length) != IS_NULL) {
-               convert_to_long(z_length);
-               length = Z_LVAL_P(z_length);
-       } else {
+       if (length == NULL) {
                length = num_in;
        }