From 7fd92b524d12d03c000ece513757a8e267013ca4 Mon Sep 17 00:00:00 2001
From: Andi Gutmans <andi@php.net>
Date: Sun, 26 Mar 2000 18:40:24 +0000
Subject: [PATCH] - Stop zend_func_args() and co. from crashing

---
 Zend/zend_API.c               | 10 +++++-----
 Zend/zend_builtin_functions.c | 19 ++++++++++++++++---
 Zend/zend_execute.c           |  2 +-
 Zend/zend_execute_API.c       |  8 ++++----
 4 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 862a298058..017c891554 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -41,7 +41,7 @@ ZEND_API int zend_get_parameters(int ht, int param_count, ...)
 	zval **param, *param_ptr;
 	ELS_FETCH();
 
-	p = EG(argument_stack).top_element-1;
+	p = EG(argument_stack).top_element-2;
 	arg_count = (ulong) *p;
 
 	if (param_count>arg_count) {
@@ -80,7 +80,7 @@ ZEND_API int zend_get_parameters_array(int ht, int param_count, zval **argument_
 	zval *param_ptr;
 	ELS_FETCH();
 
-	p = EG(argument_stack).top_element-1;
+	p = EG(argument_stack).top_element-2;
 	arg_count = (ulong) *p;
 
 	if (param_count>arg_count) {
@@ -121,7 +121,7 @@ ZEND_API int zend_get_parameters_ex(int param_count, ...)
 	zval ***param;
 	ELS_FETCH();
 
-	p = EG(argument_stack).top_element-1;
+	p = EG(argument_stack).top_element-2;
 	arg_count = (ulong) *p;
 
 	if (param_count>arg_count) {
@@ -145,7 +145,7 @@ ZEND_API int zend_get_parameters_array_ex(int param_count, zval ***argument_arra
 	int arg_count;
 	ELS_FETCH();
 
-	p = EG(argument_stack).top_element-1;
+	p = EG(argument_stack).top_element-2;
 	arg_count = (ulong) *p;
 
 	if (param_count>arg_count) {
@@ -167,7 +167,7 @@ ZEND_API int ParameterPassedByReference(int ht, uint n)
 	zval *arg;
 	ELS_FETCH();
 
-	p = EG(argument_stack).elements+EG(argument_stack).top-1;
+	p = EG(argument_stack).elements+EG(argument_stack).top-2;
 	arg_count = (ulong) *p;
 
 	if (n>arg_count) {
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index d8d826c105..1e91309e9a 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -108,9 +108,13 @@ ZEND_FUNCTION(func_num_args)
 	int arg_count;
 
 	p = EG(argument_stack).top_element-1;
+	if (p) {
+		zend_error(E_ERROR, "func_num_args(): Can't be used as a function parameter");
+	}
+	--p;
 	arg_count = (ulong) *p;		/* this is the amount of arguments passed to func_num_args(); */
 
-	p = EG(argument_stack).top_element-1-arg_count-1;
+	p = EG(argument_stack).top_element-1-arg_count-2;
 	if (p>=EG(argument_stack).elements) {
 		RETURN_LONG((ulong) *p);
 	} else {
@@ -135,9 +139,13 @@ ZEND_FUNCTION(func_get_arg)
 	requested_offset = (*z_requested_offset)->value.lval;
 
 	p = EG(argument_stack).top_element-1;
+	if (p) {
+		zend_error(E_ERROR, "func_get_arg(): Can't be used as a function parameter");
+	}
+	--p;	
 	arg_count = (ulong) *p;		/* this is the amount of arguments passed to func_num_args(); */
 
-	p = EG(argument_stack).top_element-1-arg_count-1;
+	p = EG(argument_stack).top_element-1-arg_count-2;
 	if (p<EG(argument_stack).elements) {
 		zend_error(E_WARNING, "func_get_arg():  Called from the global scope - no function context");
 		RETURN_FALSE;
@@ -162,9 +170,14 @@ ZEND_FUNCTION(func_get_args)
 	int i;
 
 	p = EG(argument_stack).top_element-1;
+	if (p) {
+		zend_error(E_ERROR, "func_get_args(): Can't be used as a function parameter");
+	}
+	--p;	
+	
 	arg_count = (ulong) *p;		/* this is the amount of arguments passed to func_num_args(); */
 
-	p = EG(argument_stack).top_element-1-arg_count-1;
+	p = EG(argument_stack).top_element-1-arg_count-2;
 	if (p<EG(argument_stack).elements) {
 		zend_error(E_WARNING, "func_get_args():  Called from the global scope - no function context");
 		RETURN_FALSE;
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 5764937db2..d8c44c0f1f 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1574,7 +1574,7 @@ do_fcall_common:
 					zval **original_return_value;
 					int return_value_used = RETURN_VALUE_USED(opline);
 
-					zend_ptr_stack_push(&EG(argument_stack), (void *) opline->extended_value);
+					zend_ptr_stack_n_push(&EG(argument_stack), 2, (void *) opline->extended_value, NULL);
 
 					Ts[opline->result.u.var].var.ptr_ptr = &Ts[opline->result.u.var].var.ptr;
 
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 40d62bada1..1daea3ce17 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -384,7 +384,7 @@ int call_user_function_ex(HashTable *function_table, zval *object, zval *functio
 		zend_ptr_stack_push(&EG(argument_stack), param);
 	}
 
-	zend_ptr_stack_push(&EG(argument_stack), (void *) (long) param_count);
+	zend_ptr_stack_n_push(&EG(argument_stack), 2, (void *) (long) param_count, NULL);
 
 	if (function_state.function->type == ZEND_USER_FUNCTION) {
 		calling_symbol_table = EG(active_symbol_table);
@@ -564,10 +564,10 @@ void execute_new_code(CLS_D)
  */
 ZEND_API inline void zend_ptr_stack_clear_multiple(ELS_D)
 {
-	void **p = EG(argument_stack).top_element-1;
+	void **p = EG(argument_stack).top_element-2;
 	int delete_count = (ulong) *p;
 
-	EG(argument_stack).top -= (delete_count+1);
+	EG(argument_stack).top -= (delete_count+2);
 	while (--delete_count>=0) {
 		zval_ptr_dtor((zval **) --p);
 	}
@@ -578,7 +578,7 @@ ZEND_API inline void zend_ptr_stack_clear_multiple(ELS_D)
 
 ZEND_API int zend_ptr_stack_get_arg(int requested_arg, void **data ELS_DC)
 {
-	void **p = EG(argument_stack).top_element-1;
+	void **p = EG(argument_stack).top_element-2;
 	int arg_count = (ulong) *p;
 
 	if (requested_arg>arg_count) {
-- 
2.50.1