From 8bd18e174b4e4a048bcf82a274de68bd00ee9739 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 16 Nov 2005 09:31:21 +0000
Subject: [PATCH] Fixed bug #35229 (call_user_func() crashes when
 arguement_stack is nearly full)

---
 NEWS                                          |  2 ++
 ext/standard/basic_functions.c                |  7 ++++-
 .../tests/general_functions/bug35229.phpt     | 30 +++++++++++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100755 ext/standard/tests/general_functions/bug35229.phpt

diff --git a/NEWS b/NEWS
index 245862256a..cd79b02912 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
 - Fixed bug in mysqli extension with unsigned int(11) being represented as 
   signed integer in PHP instead of string in 32bit systems. (Andrey)
 - Fixed initializing and argument checking for posix_mknod(). (Derick)
+- Fixed bug #35229 (call_user_func() crashes when arguement_stack is nearly
+  full). (Dmitry)
 - Fixed bug #35197 (Destructor is not called). (Tony)
 - Fixed bug #35179 (tokenizer extension needs T_HALT_COMPILER). (Greg)
 - Fixed bug #35176 (include()/require()/*_once() produce wrong error messages
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index 3c33779602..9bcc46f977 100644
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -2025,7 +2025,7 @@ PHP_FUNCTION(call_user_func)
 
 	params = safe_emalloc(sizeof(zval **), argc, 0);
 
-	if (zend_get_parameters_array_ex(argc, params) == FAILURE) {
+	if (zend_get_parameters_array_ex(1, params) == FAILURE) {
 		efree(params);
 		RETURN_FALSE;
 	}
@@ -2042,6 +2042,11 @@ PHP_FUNCTION(call_user_func)
 		RETURN_NULL();
 	}
 
+	if (zend_get_parameters_array_ex(argc, params) == FAILURE) {
+		efree(params);
+		RETURN_FALSE;
+	}
+
 	if (call_user_function_ex(EG(function_table), NULL, *params[0], &retval_ptr, argc-1, params+1, 0, NULL TSRMLS_CC) == SUCCESS) {
 		if (retval_ptr) {
 			COPY_PZVAL_TO_ZVAL(*return_value, retval_ptr);
diff --git a/ext/standard/tests/general_functions/bug35229.phpt b/ext/standard/tests/general_functions/bug35229.phpt
new file mode 100755
index 0000000000..1ccabdf3de
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug35229.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #35229 (call_user_func() crashes when arguement_stack is nearly full)
+--FILE--
+<?php
+class test2 {
+  static function use_stack() {
+    echo "OK\n";
+  }
+}
+
+function __autoload($class)
+{
+	eval('class test1 extends test2 {}');
+
+	test1::use_stack(
+    1,2,3,4,5,6,7,8,9,10,
+    11,12,13,14,15,16,17,18,19,20,
+    21,22,23,24,25,26,27,28,29,30
+  );
+}
+
+call_user_func(array('test1', 'use_stack'),
+  1,2,3,4,5,6,7,8,9,10,
+  11,12,13,14,15,16,17,18,19,20,
+  21,22,23,24,25,26,27,28,29,30
+);
+?>
+--EXPECT--
+OK
+OK
-- 
2.40.0