From 4545b5bf25392c984bba13eb79c6538a88e4c121 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 5 Feb 2008 16:02:23 +0000
Subject: [PATCH] MFB: Fixed bug #44046 (crash inside array_slice() function
 with an invalid by-ref offset).

---
 ext/standard/array.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/ext/standard/array.c b/ext/standard/array.c
index bf472e10a2..9b8b9833fb 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2296,17 +2296,16 @@ PHP_FUNCTION(array_slice)
 	zval	 *input,		/* Input array */
 			**entry;		/* An array entry */
 	long	 offset,		/* Offset to get elements from */
-			 length = 0;
+			 length = NULL;
 	zend_bool preserve_keys = 0; /* Whether to preserve keys while copying to the new array or not */
 	int		 num_in,		/* Number of elements in the input array */
 			 pos;			/* Current position in the array */
-	zval	*z_length;	/* How many elements to get */
 	zstr string_key;
 	uint string_key_len;
 	ulong num_key;
 	HashPosition hpos;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "al|z/b", &input, &offset, &z_length, &preserve_keys) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "al|lb", &input, &offset, &length, &preserve_keys) == FAILURE) {
 		return;
 	}
 
@@ -2314,10 +2313,7 @@ PHP_FUNCTION(array_slice)
 	num_in = zend_hash_num_elements(Z_ARRVAL_P(input));
 
 	/* We want all entries from offset to the end if length is not passed or length is null */
-	if (ZEND_NUM_ARGS() >= 3 && Z_TYPE_P(z_length) != IS_NULL) {
-		convert_to_long(z_length);
-		length = Z_LVAL_P(z_length);
-	} else {
+	if (length == NULL) {
 		length = num_in;
 	}
 
-- 
2.50.1