From e29d44a78b9667b910bfbd74fe00dbee8f9f1365 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Thu, 12 Jan 2023 23:25:53 +0100
Subject: [PATCH 1/2] main: Fix comment for php_safe_bcmp

---
 main/safe_bcmp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main/safe_bcmp.c b/main/safe_bcmp.c
index 27a1756d79b4..e791a99d83c3 100644
--- a/main/safe_bcmp.c
+++ b/main/safe_bcmp.c
@@ -19,7 +19,7 @@
 #include <string.h>
 
 /*
- * Returns 0 if both inputs match, 1 if they don't.
+ * Returns 0 if both inputs match, non-zero if they don't.
  * Returns -1 early if inputs do not have the same lengths.
  *
  */

From 5ee560364e99b099a6f74b3ae9dab9ea42e033ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Thu, 12 Jan 2023 23:27:09 +0100
Subject: [PATCH 2/2] main: Include note about php_safe_bcmp being security
 sensitive

This is taken from the implementation of `hash_equals()`.
---
 main/safe_bcmp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/main/safe_bcmp.c b/main/safe_bcmp.c
index e791a99d83c3..3e806de4ab6e 100644
--- a/main/safe_bcmp.c
+++ b/main/safe_bcmp.c
@@ -34,6 +34,7 @@ PHPAPI int php_safe_bcmp(const zend_string *a, const zend_string *b)
 		return -1;
 	}
 
+	/* This is security sensitive code. Do not optimize this for speed. */
 	while (i < ZSTR_LEN(a)) {
 		r |= ua[i] ^ ub[i];
 		++i;