From a219fc175333f11c0e2fe90efd25e7d8fee5fdfb Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Tue, 9 Feb 2016 12:20:11 +0800
Subject: [PATCH] Fixed bug (Low probability segfault in zend_arena)

---
 NEWS              | 1 +
 Zend/zend_arena.h | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index fce91668a6..7b1023f961 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.4
 
 - Core:
+  . Fixed bug (Low probability segfault in zend_arena). (Laruence)
   . Fixed bug #71485 (Return typehint on interanal func causes Fatal error
     when it throws exception). (Laruence)
   . Fixed bug #71474 (Crash because of VM stack corruption on Magento2).
diff --git a/Zend/zend_arena.h b/Zend/zend_arena.h
index 7456610b65..e89e06b1b0 100644
--- a/Zend/zend_arena.h
+++ b/Zend/zend_arena.h
@@ -103,11 +103,12 @@ static zend_always_inline void zend_arena_release(zend_arena **arena_ptr, void *
 	zend_arena *arena = *arena_ptr;
 
 	while (UNEXPECTED((char*)checkpoint > arena->end) ||
-	       UNEXPECTED((char*)checkpoint < (char*)arena)) {
+	       UNEXPECTED((char*)checkpoint <= (char*)arena)) {
 		zend_arena *prev = arena->prev;
 		efree(arena);
 		*arena_ptr = arena = prev;
 	}
+	ZEND_ASSERT((char*)checkpoint > (char*)arena && (char*)checkpoint <= arena->end);
 	arena->ptr = (char*)checkpoint;
 }
 
-- 
2.40.0