Recently a new vulnerability has been exposed (and patched) which targets specific platforms as a result of certain assumptions made within the zend core (specifically zend_strtod.c) when handling floating-point arithmetic.

The issue was only being manifested by gcc builds with -O2 so a recompile could fix it, reportedly -O0 fixes it but I would recommend using -mfpmath=sse which will favour a newer instruction set rather than the older deprecated x87 math instructions. A diff of the new PHP revision revealed the actual commited patch was an additional keyword in a declaration:

double aadj, aadj1, adj;


volatile double aadj, aadj1, adj;

The volatile keyword instructs the compiler not to perform optimisations

Fortunately this is an x64 server and doesn’t adopt the x87 fpu but it did affect my laptop. I applied a quick software patch which was something like this (Note: both must be placed at the top of your index, or executed file):

if (strpos(implode($_REQUEST), '2.2250738585072011') die();


array_walk($_REQUEST, function (&$x, $v, $k) {
  if (strpos($v.$k, '2.2250738585072011')) unset($x);

The first example will stop script execution if the dangerous value is detected, the second will unset the affecting variable - with improper error handling in some situations this could cause errors, though.

Fortunately however, as previously stated a patch has been commited so if possible upgrade to PHP 5.3.5 or 5.2.17

To read more, see the Official PHP Bug Report.