Fixed bug #35229 (call_user_func() crashes when arguement_stack is nearly full)

NEWS

@@ -7,6 +7,8 @@ PHP                                                                        NEWS
 - Fixed bug in mysqli extension with unsigned int(11) being represented as 
   signed integer in PHP instead of string in 32bit systems. (Andrey)
 - Fixed initializing and argument checking for posix_mknod(). (Derick)
+- Fixed bug #35229 (call_user_func() crashes when arguement_stack is nearly
+  full). (Dmitry)
 - Fixed bug #35197 (Destructor is not called). (Tony)
 - Fixed bug #35179 (tokenizer extension needs T_HALT_COMPILER). (Greg)
 - Fixed bug #35176 (include()/require()/*_once() produce wrong error messages

ext/standard/basic_functions.c

@@ -2025,7 +2025,7 @@ PHP_FUNCTION(call_user_func)
 
 	params = safe_emalloc(sizeof(zval **), argc, 0);
 
-	if (zend_get_parameters_array_ex(argc, params) == FAILURE) {
+	if (zend_get_parameters_array_ex(1, params) == FAILURE) {
 		efree(params);
 		RETURN_FALSE;
 	}
@@ -2042,6 +2042,11 @@ PHP_FUNCTION(call_user_func)
 		RETURN_NULL();
 	}
 
+	if (zend_get_parameters_array_ex(argc, params) == FAILURE) {
+		efree(params);
+		RETURN_FALSE;
+	}
+
 	if (call_user_function_ex(EG(function_table), NULL, *params[0], &retval_ptr, argc-1, params+1, 0, NULL TSRMLS_CC) == SUCCESS) {
 		if (retval_ptr) {
 			COPY_PZVAL_TO_ZVAL(*return_value, retval_ptr);

ext/standard/tests/general_functions/bug35229.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Bug #35229 (call_user_func() crashes when arguement_stack is nearly full)
+--FILE--
+<?php
+class test2 {
+  static function use_stack() {
+    echo "OK\n";
+  }
+}
+
+function __autoload($class)
+{
+	eval('class test1 extends test2 {}');
+
+	test1::use_stack(
+    1,2,3,4,5,6,7,8,9,10,
+    11,12,13,14,15,16,17,18,19,20,
+    21,22,23,24,25,26,27,28,29,30
+  );
+}
+
+call_user_func(array('test1', 'use_stack'),
+  1,2,3,4,5,6,7,8,9,10,
+  11,12,13,14,15,16,17,18,19,20,
+  21,22,23,24,25,26,27,28,29,30
+);
+?>
+--EXPECT--
+OK
+OK