Patch call_user_func_array.patch for Reproducible crash Bug #61273

Patch version 2012-03-04 16:00 UTC

• 2012-03-04 16:00 UTC [diff to current]

Developer: nikic@php.net

Index: trunk/Zend/tests/bug61273.phpt
===================================================================
--- trunk/Zend/tests/bug61273.phpt	(revision 0)
+++ trunk/Zend/tests/bug61273.phpt	(working copy)
@@ -0,0 +1,11 @@
+--TEST--
+Bug #61273: call_user_func_array with more than 16333 arguments leaks / crashes
+--FILE--
+<?php
+call_user_func_array(
+    function (&$a) {},
+    array_fill(0, 16334, '*')
+);
+?>
+--EXPECTF--
+Warning: Parameter 1 to {closure}() expected to be a reference, value given in %s on line %d
Index: trunk/Zend/zend_execute_API.c
===================================================================
--- trunk/Zend/zend_execute_API.c	(revision 323862)
+++ trunk/Zend/zend_execute_API.c	(working copy)
@@ -859,11 +859,9 @@
 
 				if (fci->no_separation &&
 				    !ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) {
-					if(i) {
-						/* hack to clean up the stack */
-						zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
-						zend_vm_stack_clear_multiple(TSRMLS_C);
-					}
+					/* hack to clean up the stack */
+					zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
+					zend_vm_stack_clear_multiple(TSRMLS_C);
 
 					zend_error(E_WARNING, "Parameter %d to %s%s%s() expected to be a reference, value given",
 						i+1,
Index: branches/PHP_5_3/Zend/tests/bug61273.phpt
===================================================================
--- branches/PHP_5_3/Zend/tests/bug61273.phpt	(revision 0)
+++ branches/PHP_5_3/Zend/tests/bug61273.phpt	(working copy)
@@ -0,0 +1,11 @@
+--TEST--
+Bug #61273: call_user_func_array with more than 16333 arguments leaks / crashes
+--FILE--
+<?php
+call_user_func_array(
+    function (&$a) {},
+    array_fill(0, 16334, '*')
+);
+?>
+--EXPECTF--
+Warning: Parameter 1 to {closure}() expected to be a reference, value given in %s on line %d
Index: branches/PHP_5_3/Zend/zend_execute_API.c
===================================================================
--- branches/PHP_5_3/Zend/zend_execute_API.c	(revision 323862)
+++ branches/PHP_5_3/Zend/zend_execute_API.c	(working copy)
@@ -877,11 +877,9 @@
 
 				if (fci->no_separation &&
 				    !ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) {
-					if(i) {
-						/* hack to clean up the stack */
-						zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
-						zend_vm_stack_clear_multiple(TSRMLS_C);
-					}
+					/* hack to clean up the stack */
+					zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
+					zend_vm_stack_clear_multiple(TSRMLS_C);
 
 					zend_error(E_WARNING, "Parameter %d to %s%s%s() expected to be a reference, value given",
 						i+1,
Index: branches/PHP_5_3/NEWS
===================================================================
--- branches/PHP_5_3/NEWS	(revision 323862)
+++ branches/PHP_5_3/NEWS	(working copy)
@@ -7,6 +7,8 @@
     function is by reference). (Nikita Popov)
 
 - Core:
+  . Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks
+    / crashes). (Nikita Popov)
   . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
   . Improved max_input_vars directive to check nested variables (Dmitry).
   . Fixed bug #61095 (Incorect lexing of 0x00*+<NUM>). (Etienne)
Index: branches/PHP_5_4/Zend/tests/bug61273.phpt
===================================================================
--- branches/PHP_5_4/Zend/tests/bug61273.phpt	(revision 0)
+++ branches/PHP_5_4/Zend/tests/bug61273.phpt	(working copy)
@@ -0,0 +1,11 @@
+--TEST--
+Bug #61273: call_user_func_array with more than 16333 arguments leaks / crashes
+--FILE--
+<?php
+call_user_func_array(
+    function (&$a) {},
+    array_fill(0, 16334, '*')
+);
+?>
+--EXPECTF--
+Warning: Parameter 1 to {closure}() expected to be a reference, value given in %s on line %d
Index: branches/PHP_5_4/Zend/zend_execute_API.c
===================================================================
--- branches/PHP_5_4/Zend/zend_execute_API.c	(revision 323862)
+++ branches/PHP_5_4/Zend/zend_execute_API.c	(working copy)
@@ -859,11 +859,9 @@
 
 				if (fci->no_separation &&
 				    !ARG_MAY_BE_SENT_BY_REF(EX(function_state).function, i + 1)) {
-					if(i) {
-						/* hack to clean up the stack */
-						zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
-						zend_vm_stack_clear_multiple(TSRMLS_C);
-					}
+					/* hack to clean up the stack */
+					zend_vm_stack_push_nocheck((void *) (zend_uintptr_t)i TSRMLS_CC);
+					zend_vm_stack_clear_multiple(TSRMLS_C);
 
 					zend_error(E_WARNING, "Parameter %d to %s%s%s() expected to be a reference, value given",
 						i+1,
Index: branches/PHP_5_4/NEWS
===================================================================
--- branches/PHP_5_4/NEWS	(revision 323862)
+++ branches/PHP_5_4/NEWS	(working copy)
@@ -27,6 +27,8 @@
   . Fixed bug #61106 (Segfault when using header_register_callback). (Nikita Popov)
   . Fixed bug #61165 (Segfault - strip_tags()). (Laruence)
   . Fixed bug #61225 (Incorect lexing of 0b00*+<NUM>). (Pierrick)
+  . Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks
+    / crashes). (Nikita Popov)
 
 - Installation
   . Fixed bug #61172 (Add Apache 2.4 support). (Chris Jones)