this refers to svn commit: http://svn.php.net/viewvc?view=revision&revision=323007
aka CVE-2012-0830

link: https://bugzilla.redhat.com/show_bug.cgi?id=786686

diff -up php-5.2.17/main/php_variables.c.bug-323007 php-5.2.17/main/php_variables.c
--- php-5.2.17/main/php_variables.c.bug-323007	2012-02-03 12:12:09.000000000 +0700
+++ php-5.2.17/main/php_variables.c	2012-02-03 13:17:16.000000000 +0700
@@ -187,12 +187,17 @@ PHPAPI void php_register_variable_ex(cha
 				}
 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
-					if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
-						php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
-					}
+					if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+					    if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+					    }
 					MAKE_STD_ZVAL(gpc_element);
 					array_init(gpc_element);
 					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+					} else {
+				    efree(var_orig);
+				    return;
+					}
 				}
 				if (index != escaped_index) {
 					efree(escaped_index);