Fix assertion failure in cufa optimization with named args

Fixes oss-fuzz#30764.

2 files changed, 9 insertions, 0 deletions

diff --git a/Zend/tests/call_user_func_array_array_slice_named_args.phpt b/Zend/tests/call_user_func_array_array_slice_named_args.phpt
new file mode 100644
index 0000000000..2d84ec4776
--- /dev/null
+++ b/Zend/tests/call_user_func_array_array_slice_named_args.phpt
@@ -0,0 +1,8 @@
+--TEST--
+call_user_func_array() + array_slice() + named arguments
+--FILE--
+<?php
+call_user_func_array('func', array_slice(array: $a, 1, 2));
+?>
+--EXPECTF--
+Fatal error: Cannot use positional argument after named argument in %s on line %d
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 57c33e3c96..19a1c543ab 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -3878,6 +3878,7 @@ zend_result zend_compile_func_cufa(znode *result, zend_ast_list *args, zend_stri
 		zend_string *name = zend_resolve_function_name(orig_name, args->child[1]->child[0]->attr, &is_fully_qualified);
 
 		if (zend_string_equals_literal_ci(name, "array_slice")
+	     && !zend_args_contain_unpack_or_named(list)
 		 && list->children == 3
 		 && list->child[1]->kind == ZEND_AST_ZVAL) {
 			zval *zv = zend_ast_get_zval(list->child[1]);