From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 16 Nov 2005 09:43:56 +0000 (+0000)
Subject: Fixed bug #35229 (call_user_func() crashes when arguement_stack is nearly full)
X-Git-Tag: RELEASE_0_9_3~34
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=376d30f4414183c18297bce3464fe002e11263c8;p=php

Fixed bug #35229 (call_user_func() crashes when arguement_stack is nearly full)
---

diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index 8f0eb720ff..691c78c9e1 100644
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -2038,7 +2038,7 @@ PHP_FUNCTION(call_user_func)
 
 	params = safe_emalloc(sizeof(zval **), argc, 0);
 
-	if (zend_get_parameters_array_ex(argc, params) == FAILURE) {
+	if (zend_get_parameters_array_ex(1, params) == FAILURE) {
 		efree(params);
 		RETURN_FALSE;
 	}
@@ -2058,6 +2058,11 @@ PHP_FUNCTION(call_user_func)
 		RETURN_NULL();
 	}
 
+	if (zend_get_parameters_array_ex(argc, params) == FAILURE) {
+		efree(params);
+		RETURN_FALSE;
+	}
+
 	if (call_user_function_ex(EG(function_table), NULL, *params[0], &retval_ptr, argc-1, params+1, 0, NULL TSRMLS_CC) == SUCCESS) {
 		if (retval_ptr) {
 			COPY_PZVAL_TO_ZVAL(*return_value, retval_ptr);
diff --git a/ext/standard/tests/general_functions/bug35229.phpt b/ext/standard/tests/general_functions/bug35229.phpt
new file mode 100755
index 0000000000..1ccabdf3de
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug35229.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #35229 (call_user_func() crashes when arguement_stack is nearly full)
+--FILE--
+<?php
+class test2 {
+  static function use_stack() {
+    echo "OK\n";
+  }
+}
+
+function __autoload($class)
+{
+	eval('class test1 extends test2 {}');
+
+	test1::use_stack(
+    1,2,3,4,5,6,7,8,9,10,
+    11,12,13,14,15,16,17,18,19,20,
+    21,22,23,24,25,26,27,28,29,30
+  );
+}
+
+call_user_func(array('test1', 'use_stack'),
+  1,2,3,4,5,6,7,8,9,10,
+  11,12,13,14,15,16,17,18,19,20,
+  21,22,23,24,25,26,27,28,29,30
+);
+?>
+--EXPECT--
+OK
+OK