2 files changed, 20 insertions, 6 deletions

diff --git a/Zend/tests/bug72767.phpt b/Zend/tests/bug72767.phpt
new file mode 100644
index 0000000000..20b559b2a1
--- /dev/null
+++ b/Zend/tests/bug72767.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #72767: PHP Segfaults when trying to expand an infinite operator
+--FILE--
+<?php
+
+function test() {}
+$iterator = new LimitIterator(
+    new InfiniteIterator(new ArrayIterator([42])),
+    0, 17000
+);
+test(...$iterator);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index af90b442f0..1012b3cc4f 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -145,7 +145,8 @@ static const zend_internal_function zend_pass_function = {
 	((ZEND_VM_STACK_PAGE_SLOTS(gen) - ZEND_VM_STACK_HEADER_SLOTS) * sizeof(zval))
 
 #define ZEND_VM_STACK_PAGE_ALIGNED_SIZE(gen, size) \
-	(((size) + (ZEND_VM_STACK_FREE_PAGE_SIZE(gen) - 1)) & ~(ZEND_VM_STACK_PAGE_SIZE(gen) - 1))
+	(((size) + ZEND_VM_STACK_HEADER_SLOTS * sizeof(zval) \
+	  + (ZEND_VM_STACK_PAGE_SIZE(gen) - 1)) & ~(ZEND_VM_STACK_PAGE_SIZE(gen) - 1))
 
 static zend_always_inline zend_vm_stack zend_vm_stack_new_page(size_t size, zend_vm_stack prev) {
 	zend_vm_stack page = (zend_vm_stack)emalloc(size);
@@ -822,11 +823,8 @@ static zend_always_inline int zend_verify_arg_type(zend_function *zf, uint32_t a
 				} else {
 					ce = zend_verify_arg_class_kind(cur_arg_info);
 					if (UNEXPECTED(!ce)) {
-						if (Z_TYPE_P(arg) == IS_OBJECT) {
-							zend_verify_arg_error(zf, arg_num, "be an instance of ", ZSTR_VAL(cur_arg_info->class_name), "instance of ", ZSTR_VAL(Z_OBJCE_P(arg)->name), arg);
-						} else {
-							zend_verify_arg_error(zf, arg_num, "be an instance of ", ZSTR_VAL(cur_arg_info->class_name), "", zend_zval_type_name(arg), arg);
-						}
+						ZEND_ASSERT(Z_TYPE_P(arg) != IS_OBJECT);
+						zend_verify_arg_error(zf, arg_num, "be an instance of ", ZSTR_VAL(cur_arg_info->class_name), "", zend_zval_type_name(arg), arg);
 						return 0;
 					}
 					*cache_slot = (void*)ce;