Fix comment for php_safe_bcmp (#10306)

TimWolla · web-flow · commit fd7214436ab3 · 2023-01-12T23:30:36.000+01:00
* main: Fix comment for php_safe_bcmp

* main: Include note about php_safe_bcmp being security sensitive

This is taken from the implementation of `hash_equals()`.
diff --git a/main/safe_bcmp.c b/main/safe_bcmp.c
@@ -19,7 +19,7 @@
 #include <string.h>
 
 /*
- * Returns 0 if both inputs match, 1 if they don't.
+ * Returns 0 if both inputs match, non-zero if they don't.
  * Returns -1 early if inputs do not have the same lengths.
  *
  */
@@ -34,6 +34,7 @@ PHPAPI int php_safe_bcmp(const zend_string *a, const zend_string *b)
 		return -1;
 	}
 
+	/* This is security sensitive code. Do not optimize this for speed. */
 	while (i < ZSTR_LEN(a)) {
 		r |= ua[i] ^ ub[i];
 		++i;

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`#include <string.h>`
`20`	`20`
`21`	`21`	`/*`
`22`		`- * Returns 0 if both inputs match, 1 if they don't.`
	`22`	`+ * Returns 0 if both inputs match, non-zero if they don't.`
`23`	`23`	`* Returns -1 early if inputs do not have the same lengths.`
`24`	`24`	`*`
`25`	`25`	`*/`
`@@ -34,6 +34,7 @@ PHPAPI int php_safe_bcmp(const zend_string a, const zend_string b)`
`34`	`34`	`return -1;`
`35`	`35`	`}`
`36`	`36`
	`37`	`+ /* This is security sensitive code. Do not optimize this for speed. */`
`37`	`38`	`while (i < ZSTR_LEN(a)) {`
`38`	`39`	`r \|= ua[i] ^ ub[i];`
`39`	`40`	`++i;`