From b7ae5e0d86d9528af4ed6bd75821f8cae7c5cb95 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Sun, 11 Mar 2012 15:28:31 +0000
Subject: [PATCH] Fixed bug #61273 (call_user_func_array with more than 16333
 arguments leaks / crashes)

---
 NEWS                     |  2 ++
 Zend/tests/bug61273.phpt | 15 +++++++++++++++
 Zend/zend_execute_API.c  |  2 +-
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 Zend/tests/bug61273.phpt

diff --git a/NEWS b/NEWS
index c585895392..6ff05dbe2a 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   . "Connection: close" instead of "Connection: closed" (Gustavo)
 
 - Core:
+  . Fixed bug #61273 (call_user_func_array with more than 16333 arguments 
+    leaks / crashes). (Laruence)
   . Fixed bug #61225 (Incorect lexing of 0b00*+<NUM>). (Pierrick)
   . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
   . Fixed bug #61106 (Segfault when using header_register_callback). (Nikita
diff --git a/Zend/tests/bug61273.phpt b/Zend/tests/bug61273.phpt
new file mode 100644
index 0000000000..9d78b27317
--- /dev/null
+++ b/Zend/tests/bug61273.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)
+--FILE--
+<?php
+/**
+ * for 5.3 #define ZEND_VM_STACK_PAGE_SIZE ((64 * 1024) - 64)
+ * for 5.4 #define ZEND_VM_STACK_PAGE_SIZE ((16 * 1024) - 16)
+ * we should trick EG(argument_stack) into growing
+ */
+$args = array_fill(0, 64 * 1024 - 64, "*");
+call_user_func_array(function(&$a) {}, $args);
+echo strval("okey");
+--EXPECTF--
+Warning: Parameter 1 to {closure}() expected to be a reference, value given in %sbug61273.php on line %d
+okey
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 10adfb6a26..1deee2a86c 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -859,7 +859,7 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
 
 				if (fci->no_separation &&
 				    !ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) {
-					if(i) {
+					if (i || UNEXPECTED(ZEND_VM_STACK_ELEMETS(EG(argument_stack)) == (EG(argument_stack)->top))) {
 						/* hack to clean up the stack */
 						zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
 						zend_vm_stack_clear_multiple(TSRMLS_C);
-- 
2.40.0