From 376d30f4414183c18297bce3464fe002e11263c8 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Wed, 16 Nov 2005 09:43:56 +0000 Subject: [PATCH] Fixed bug #35229 (call_user_func() crashes when arguement_stack is nearly full) --- ext/standard/basic_functions.c | 7 ++++- .../tests/general_functions/bug35229.phpt | 30 +++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100755 ext/standard/tests/general_functions/bug35229.phpt diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index 8f0eb720ff..691c78c9e1 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -2038,7 +2038,7 @@ PHP_FUNCTION(call_user_func) params = safe_emalloc(sizeof(zval **), argc, 0); - if (zend_get_parameters_array_ex(argc, params) == FAILURE) { + if (zend_get_parameters_array_ex(1, params) == FAILURE) { efree(params); RETURN_FALSE; } @@ -2058,6 +2058,11 @@ PHP_FUNCTION(call_user_func) RETURN_NULL(); } + if (zend_get_parameters_array_ex(argc, params) == FAILURE) { + efree(params); + RETURN_FALSE; + } + if (call_user_function_ex(EG(function_table), NULL, *params[0], &retval_ptr, argc-1, params+1, 0, NULL TSRMLS_CC) == SUCCESS) { if (retval_ptr) { COPY_PZVAL_TO_ZVAL(*return_value, retval_ptr); diff --git a/ext/standard/tests/general_functions/bug35229.phpt b/ext/standard/tests/general_functions/bug35229.phpt new file mode 100755 index 0000000000..1ccabdf3de --- /dev/null +++ b/ext/standard/tests/general_functions/bug35229.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #35229 (call_user_func() crashes when arguement_stack is nearly full) +--FILE-- + +--EXPECT-- +OK +OK -- 2.50.1