Tweak $count range check of array_fill()

We fix the `UNEXPECTED(EXPECTED(…))`, which does not make sense, and
replace the magic number with the respective macro.   We also add a
test case to verify the expected behavior for an `array_fill()` edge
case.

Closes GH-8804.

Author: cmb69

ext/standard/array.c

@@ -2598,7 +2598,7 @@ PHP_FUNCTION(array_fill)
 	ZEND_PARSE_PARAMETERS_END();
 
 	if (EXPECTED(num > 0)) {
-		if (sizeof(num) > 4 && UNEXPECTED(EXPECTED(num > 0x7fffffff))) {
+		if (sizeof(num) > 4 && UNEXPECTED(num >INT_MAX)) {
 			zend_argument_value_error(2, "is too large");
 			RETURN_THROWS();
 		} else if (UNEXPECTED(start_key > ZEND_LONG_MAX - num + 1)) {

ext/standard/tests/array/array_fill_variation6.phpt

@@ -0,0 +1,19 @@
+--TEST--
+array_fill(): last element
+--FILE--
+<?php
+$a = array_fill(PHP_INT_MAX, 1, "foo");
+var_dump(
+    count($a),
+    array_key_exists(PHP_INT_MAX, $a),
+);
+try {
+    $a[] = "bar";
+} catch (Error $ex) {
+    echo $ex->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+int(1)
+bool(true)
+Cannot add element to the array as the next element is already occupied