?? ??? 2012, PHP 5.3.11
- Core:
+ . Fixed bug #61273 (call_user_func_array with more than 16333 arguments
+ leaks / crashes). (Laruence)
. Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
. Improved max_input_vars directive to check nested variables (Dmitry).
. Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne)
--- /dev/null
+--TEST--
+Bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)
+--FILE--
+<?php
+/**
+ * for 5.3 #define ZEND_VM_STACK_PAGE_SIZE ((64 * 1024) - 64)
+ * for 5.4 #define ZEND_VM_STACK_PAGE_SIZE ((16 * 1024) - 16)
+ * we should trick EG(argument_stack) into growing
+ */
+$args = array_fill(0, 64 * 1024 - 64, "*");
+call_user_func_array(function(&$a) {}, $args);
+echo strval("okey");
+--EXPECTF--
+Warning: Parameter 1 to {closure}() expected to be a reference, value given in %sbug61273.php on line %d
+okey
if (fci->no_separation &&
!ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) {
- if(i) {
+ if (i || UNEXPECTED(UNEXPECTED(ZEND_VM_STACK_ELEMETS(EG(argument_stack)) == EG(argument_stack)->top))) {
/* hack to clean up the stack */
zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
zend_vm_stack_clear_multiple(TSRMLS_C);
projects / php / commitdiff