From a3740dadecec9d47cde6055996e2ca13dd10c4f6 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Thu, 18 Aug 2016 15:37:15 +0800
Subject: [PATCH 1/2] Remove outdate checks

---
 ext/session/session.c           | 16 ----------------
 ext/session/tests/bug72681.phpt |  7 ++++++-
 2 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/ext/session/session.c b/ext/session/session.c
index b303b906530..9668db4c833 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -835,7 +835,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
 	for (p = val; p < endptr; ) {
-		zval *tmp;
 		skip = 0;
 		namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
 
@@ -850,13 +849,6 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
 
 		p += namelen + 1;
 
-		if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
-			if ((Z_TYPE_P(tmp) == IS_ARRAY &&
-				Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
-				skip = 1;
-			}
-		}
-
 		if (has_value) {
 			zval *current, rv;
 			current = var_tmp_var(&var_hash);
@@ -933,7 +925,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 	p = val;
 
 	while (p < endptr) {
-		zval *tmp;
 		q = p;
 		skip = 0;
 		while (*q != PS_DELIMITER) {
@@ -950,13 +941,6 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 		name = zend_string_init(p, namelen, 0);
 		q++;
 
-		if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
-			if ((Z_TYPE_P(tmp) == IS_ARRAY &&
-				Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
-				skip = 1;
-			}
-		}
-
 		if (has_value) {
 			zval *current, rv;
 			current = var_tmp_var(&var_hash);
diff --git a/ext/session/tests/bug72681.phpt b/ext/session/tests/bug72681.phpt
index ceca6ecc33f..4752767d50a 100644
--- a/ext/session/tests/bug72681.phpt
+++ b/ext/session/tests/bug72681.phpt
@@ -6,12 +6,17 @@ Bug #72681: PHP Session Data Injection Vulnerability
 <?php
 ini_set('session.serialize_handler', 'php');
 session_start();
-$GLOBALS['ryat'] = $GLOBALS;
+$GLOBALS['ryat'] = $_SESSION;
 $_SESSION['ryat'] = 'ryat|O:8:"stdClass":0:{}';
 session_write_close();
 session_start();
+var_dump($ryat);
 var_dump($_SESSION);
 ?>
 --EXPECT--
 array(0) {
 }
+array(1) {
+  ["ryat"]=>
+  string(24) "ryat|O:8:"stdClass":0:{}"
+}

From 66a527b8c1942cae140c5dab5f3eff2e33ca9740 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Thu, 18 Aug 2016 15:37:39 +0800
Subject: [PATCH 2/2] Fixed segfault introduced in
 447e57a1e12cdcc6791302d5097119fb2165475a

---
 ext/opcache/Optimizer/zend_inference.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
index e3bf922a9fb..174528f2e11 100644
--- a/ext/opcache/Optimizer/zend_inference.c
+++ b/ext/opcache/Optimizer/zend_inference.c
@@ -3695,14 +3695,14 @@ static zend_bool can_convert_to_double(
 static int zend_type_narrowing(const zend_op_array *op_array, const zend_script *script, zend_ssa *ssa)
 {
 	uint32_t bitset_len = zend_bitset_len(ssa->vars_count);
-	zend_bitset visited = 0;
-	zend_bitset worklist = visited + bitset_len;
+	zend_bitset visited, worklist;
 	int i, v;
 	zend_op *opline;
 	zend_bool narrowed = 0;
 	ALLOCA_FLAG(use_heap)
 
 	visited = ZEND_BITSET_ALLOCA(2 * bitset_len, use_heap);
+	worklist = visited + bitset_len;
 
 	zend_bitset_clear(worklist, bitset_len);