]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2aa585a)
Fixed bug (Low probability segfault in zend_arena)
authorXinchen Hui <laruence@gmail.com>
Tue, 9 Feb 2016 04:20:11 +0000 (12:20 +0800)
committerXinchen Hui <laruence@gmail.com>
Tue, 9 Feb 2016 04:20:11 +0000 (12:20 +0800)
NEWS patch | blob | history
Zend/zend_arena.h patch | blob | history

diff --git a/NEWS b/NEWS
index fce91668a6f75ec4681adc6bcab3cdd323c0b80b..7b1023f961a237bf3b96418e762b211dd24501ef 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.4
 
 - Core:
+  . Fixed bug (Low probability segfault in zend_arena). (Laruence)
   . Fixed bug #71485 (Return typehint on interanal func causes Fatal error
     when it throws exception). (Laruence)
   . Fixed bug #71474 (Crash because of VM stack corruption on Magento2).
diff --git a/Zend/zend_arena.h b/Zend/zend_arena.h
index 7456610b65bf6bc6ed9ba0ae8d0ef4d75da4e1a5..e89e06b1b0fb3e54dad2cd2f5013f2fa11b2ef50 100644 (file)
--- a/Zend/zend_arena.h
+++ b/Zend/zend_arena.h
@@ -103,11 +103,12 @@ static zend_always_inline void zend_arena_release(zend_arena **arena_ptr, void *
        zend_arena *arena = *arena_ptr;
 
        while (UNEXPECTED((char*)checkpoint > arena->end) ||
-              UNEXPECTED((char*)checkpoint < (char*)arena)) {
+              UNEXPECTED((char*)checkpoint <= (char*)arena)) {
                zend_arena *prev = arena->prev;
                efree(arena);
                *arena_ptr = arena = prev;
        }
+       ZEND_ASSERT((char*)checkpoint > (char*)arena && (char*)checkpoint <= arena->end);
        arena->ptr = (char*)checkpoint;
 }
 
Unnamed repository; edit this file 'description' to name the repository.