From: Dmitry Stogov <dmitry@php.net>
Date: Thu, 15 Jan 2009 14:23:42 +0000 (+0000)
Subject: Fixed possible crash because of argument stack reallocation
X-Git-Tag: php-5.2.9RC1~106
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8b93b4e373fb686d5be455da9ad36cb4f7e2fa6d;p=php

Fixed possible crash because of argument stack reallocation
---

diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index ff5a7bdf4b..288ce987e5 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -901,6 +901,26 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
 		}
 	}
 
+	/* Prevent crash because of stack reallocation */
+	if (!call_via_handler &&
+	    fci->param_count &&
+	    EG(argument_stack).top + fci->param_count > EG(argument_stack).max &&
+	    *(void***)fci->params >= EG(argument_stack).elements &&
+	    *(void***)fci->params < EG(argument_stack).top_element) {
+
+		/* Manual stack reallocation */
+		void **prev_elements = EG(argument_stack).elements;
+		void **prev_top_element = EG(argument_stack).top_element;
+
+		ZEND_PTR_STACK_RESIZE_IF_NEEDED((&EG(argument_stack)), fci->param_count);
+		for (i=0; i<fci->param_count; i++) {
+			if ((void**)fci->params[i] >= prev_elements &&
+			    (void**)fci->params[i] < prev_top_element) {
+				fci->params[i] = (zval**)((void**)fci->params[i] - prev_elements + EG(argument_stack).elements);
+			}
+		}
+	}
+
 	for (i=0; i<fci->param_count; i++) {
 		zval *param;