From 3f4bc94b0092aa1699be89a88b8a4e62507d1843 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 10 Jun 2021 10:52:53 +0200
Subject: [PATCH] Mitigation for bug #81096

This issue is properly fixed by GH-7121 on master. For older
branches, disable the use of range information in SCCP, to
reduce impact of potentially incorrect ranges.
---
 ext/opcache/Optimizer/sccp.c       |  3 +++
 ext/opcache/tests/ref_range_1.phpt | 25 +++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 ext/opcache/tests/ref_range_1.phpt

diff --git a/ext/opcache/Optimizer/sccp.c b/ext/opcache/Optimizer/sccp.c
index d9f63b4cb75..0307ccaf618 100644
--- a/ext/opcache/Optimizer/sccp.c
+++ b/ext/opcache/Optimizer/sccp.c
@@ -2193,6 +2193,8 @@ static zval *value_from_type_and_range(sccp_ctx *ctx, int var_num, zval *tmp) {
 		return tmp;
 	}
 
+#if 0
+	/* Disabled due to bug #81096. */
 	if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_LONG))
 			&& info->has_range
 			&& !info->range.overflow && !info->range.underflow
@@ -2200,6 +2202,7 @@ static zval *value_from_type_and_range(sccp_ctx *ctx, int var_num, zval *tmp) {
 		ZVAL_LONG(tmp, info->range.min);
 		return tmp;
 	}
+#endif
 
 	return NULL;
 }
diff --git a/ext/opcache/tests/ref_range_1.phpt b/ext/opcache/tests/ref_range_1.phpt
new file mode 100644
index 00000000000..cf211ad00e8
--- /dev/null
+++ b/ext/opcache/tests/ref_range_1.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Range info for references (1)
+--FILE--
+<?php
+
+function test() {
+    escape_x($x);
+    $x = 0;
+    modify_x();
+    return (int) $x;
+}
+
+function escape_x(&$x) {
+    $GLOBALS['x'] =& $x;
+}
+
+function modify_x() {
+    $GLOBALS['x']++;
+}
+
+var_dump(test());
+
+?>
+--EXPECT--
+int(1)