Fixed bug (Low probability segfault in zend_arena)

author: Xinchen Hui <laruence@gmail.com> 2016-02-09 12:20:11 +0800
committer: Xinchen Hui <laruence@gmail.com> 2016-02-09 12:20:11 +0800
commit: a219fc175333f11c0e2fe90efd25e7d8fee5fdfb (patch)
tree: 9ac7337f23e497e86cf6bbc6b6ab0b2b8f336f25
parent: 2aa585a505dea5a1e0ba4371f0ef24ce5926b00c (diff)
download: php-git-a219fc175333f11c0e2fe90efd25e7d8fee5fdfb.tar.gz
2 files changed, 3 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index fce91668a6..7b1023f961 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.4
 
 - Core:
+  . Fixed bug (Low probability segfault in zend_arena). (Laruence)
   . Fixed bug #71485 (Return typehint on interanal func causes Fatal error
     when it throws exception). (Laruence)
   . Fixed bug #71474 (Crash because of VM stack corruption on Magento2).
diff --git a/Zend/zend_arena.h b/Zend/zend_arena.h
index 7456610b65..e89e06b1b0 100644
--- a/Zend/zend_arena.h
+++ b/Zend/zend_arena.h
@@ -103,11 +103,12 @@ static zend_always_inline void zend_arena_release(zend_arena **arena_ptr, void *
 	zend_arena *arena = *arena_ptr;
 
 	while (UNEXPECTED((char*)checkpoint > arena->end) ||
-	       UNEXPECTED((char*)checkpoint < (char*)arena)) {
+	       UNEXPECTED((char*)checkpoint <= (char*)arena)) {
 		zend_arena *prev = arena->prev;
 		efree(arena);
 		*arena_ptr = arena = prev;
 	}
+	ZEND_ASSERT((char*)checkpoint > (char*)arena && (char*)checkpoint <= arena->end);
 	arena->ptr = (char*)checkpoint;
 }
author	Xinchen Hui <laruence@gmail.com>	2016-02-09 12:20:11 +0800
committer	Xinchen Hui <laruence@gmail.com>	2016-02-09 12:20:11 +0800
commit	a219fc175333f11c0e2fe90efd25e7d8fee5fdfb (patch)
tree	9ac7337f23e497e86cf6bbc6b6ab0b2b8f336f25
parent	2aa585a505dea5a1e0ba4371f0ef24ce5926b00c (diff)
download	php-git-a219fc175333f11c0e2fe90efd25e7d8fee5fdfb.tar.gz