From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 16 Nov 2005 09:31:21 +0000 (+0000)
Subject: Fixed bug #35229 (call_user_func() crashes when arguement_stack is nearly full)
X-Git-Tag: php-5.1.0RC5~6
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8bd18e174b4e4a048bcf82a274de68bd00ee9739;p=php

Fixed bug #35229 (call_user_func() crashes when arguement_stack is nearly full)
---

diff --git a/NEWS b/NEWS
index 245862256a..cd79b02912 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
 - Fixed bug in mysqli extension with unsigned int(11) being represented as 
   signed integer in PHP instead of string in 32bit systems. (Andrey)
 - Fixed initializing and argument checking for posix_mknod(). (Derick)
+- Fixed bug #35229 (call_user_func() crashes when arguement_stack is nearly
+  full). (Dmitry)
 - Fixed bug #35197 (Destructor is not called). (Tony)
 - Fixed bug #35179 (tokenizer extension needs T_HALT_COMPILER). (Greg)
 - Fixed bug #35176 (include()/require()/*_once() produce wrong error messages
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index 3c33779602..9bcc46f977 100644
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -2025,7 +2025,7 @@ PHP_FUNCTION(call_user_func)
 
 	params = safe_emalloc(sizeof(zval **), argc, 0);
 
-	if (zend_get_parameters_array_ex(argc, params) == FAILURE) {
+	if (zend_get_parameters_array_ex(1, params) == FAILURE) {
 		efree(params);
 		RETURN_FALSE;
 	}
@@ -2042,6 +2042,11 @@ PHP_FUNCTION(call_user_func)
 		RETURN_NULL();
 	}
 
+	if (zend_get_parameters_array_ex(argc, params) == FAILURE) {
+		efree(params);
+		RETURN_FALSE;
+	}
+
 	if (call_user_function_ex(EG(function_table), NULL, *params[0], &retval_ptr, argc-1, params+1, 0, NULL TSRMLS_CC) == SUCCESS) {
 		if (retval_ptr) {
 			COPY_PZVAL_TO_ZVAL(*return_value, retval_ptr);
diff --git a/ext/standard/tests/general_functions/bug35229.phpt b/ext/standard/tests/general_functions/bug35229.phpt
new file mode 100755
index 0000000000..1ccabdf3de
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug35229.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #35229 (call_user_func() crashes when arguement_stack is nearly full)
+--FILE--
+<?php
+class test2 {
+  static function use_stack() {
+    echo "OK\n";
+  }
+}
+
+function __autoload($class)
+{
+	eval('class test1 extends test2 {}');
+
+	test1::use_stack(
+    1,2,3,4,5,6,7,8,9,10,
+    11,12,13,14,15,16,17,18,19,20,
+    21,22,23,24,25,26,27,28,29,30
+  );
+}
+
+call_user_func(array('test1', 'use_stack'),
+  1,2,3,4,5,6,7,8,9,10,
+  11,12,13,14,15,16,17,18,19,20,
+  21,22,23,24,25,26,27,28,29,30
+);
+?>
+--EXPECT--
+OK
+OK