1 files changed, 41 insertions, 0 deletions

diff --git a/php-bugarm.patch b/php-bugarm.patch
new file mode 100644
index 0000000..6bd63b3
--- /dev/null
+++ b/php-bugarm.patch
@@ -0,0 +1,41 @@
+From 60d2e70c062e436a6c6cd3c8a17469a083a38b46 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 10 Dec 2013 12:07:46 +0100
+Subject: [PATCH] Zend: fix overflow handling bug in non-x86
+ fast_add_function()
+
+The 'result' argument of fast_add_function() may alias with either
+of its operands (or both). Take care not to write to 'result' before
+reading op1 and op2.
+---
+ Zend/zend_operators.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/Zend/zend_operators.h b/Zend/zend_operators.h
+index 0152e03..5c6fc86 100644
+--- a/Zend/zend_operators.h
++++ b/Zend/zend_operators.h
+@@ -640,13 +640,18 @@ static zend_always_inline int fast_add_function(zval *result, zval *op1, zval *o
+ 			  "n"(ZVAL_OFFSETOF_TYPE)
+ 			: "rax","cc");
+ #else
+-			Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2);
++			/*
++			 * 'result' may alias with op1 or op2, so we need to
++			 * ensure that 'result' is not updated until after we
++			 * have read the values of op1 and op2.
++			 */
+ 
+ 			if (UNEXPECTED((Z_LVAL_P(op1) & LONG_SIGN_MASK) == (Z_LVAL_P(op2) & LONG_SIGN_MASK)
+-				&& (Z_LVAL_P(op1) & LONG_SIGN_MASK) != (Z_LVAL_P(result) & LONG_SIGN_MASK))) {
++				&& (Z_LVAL_P(op1) & LONG_SIGN_MASK) != ((Z_LVAL_P(op1) + Z_LVAL_P(op2)) & LONG_SIGN_MASK))) {
+ 				Z_DVAL_P(result) = (double) Z_LVAL_P(op1) + (double) Z_LVAL_P(op2);
+ 				Z_TYPE_P(result) = IS_DOUBLE;
+ 			} else {
++				Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2);
+ 				Z_TYPE_P(result) = IS_LONG;
+ 			}
+ #endif
+-- 
+1.8.4.3
+