php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58236 No check for parameter count in php_mmc_store
Submitted: 2008-06-16 20:40 UTC Modified: 2008-06-25 16:57 UTC
From: nicolas at netlog dot com Assigned:
Status: Closed Package: memcache (PECL)
PHP Version: 5.2.5 OS: debian
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nicolas at netlog dot com
New email:
PHP Version: OS:

 

 [2008-06-16 20:40 UTC] nicolas at netlog dot com
Description:
------------
The function php_mmc_store doesn't check for required parameters, just segfaults.

In fact, parameter checking isn't done on some other functions too.

PS: I can't select PHP 5.2.6 which I'm using, so that's why I selected 5.2.5.

Fix:
poison@netlog:/usr/src$ diff -ruN memcache-3.0.1-orig/memcache.c  memcache-3.0.1/memcache.c 
--- memcache-3.0.1-orig/memcache.c      2008-02-05 21:00:12.000000000 +0100
+++ memcache-3.0.1/memcache.c   2008-06-17 02:26:49.000000000 +0200
@@ -380,11 +380,13 @@
        long flags = 0, exptime = 0, cas = 0;
 
        if (mmc_object == NULL) {
+               if(ZEND_NUM_ARGS() < 3) WRONG_PARAM_COUNT;
                if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Oz|zlll", &mmc_object, memcache_pool_ce, &keys, &value, &flags, &exptime, &cas) == FAILURE) {
                        return;
                }
        }
        else {
+               if(ZEND_NUM_ARGS() < 2) WRONG_PARAM_COUNT;
                if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z|zlll", &keys, &value, &flags, &exptime, &cas) == FAILURE) {
                        return;
                }


Reproduce code:
---------------
<?php

        $mc = new Memcache ();
        if ($mc->addServer ('netlog', 11211, TRUE, 1, 1, 1, TRUE, '__errorCallback') === FALSE)
        {
                die ("Unable to connect\n");
        }

        $mc->set ('key');

        function __errorCallback ($host, $tcpPort, $udpPort, $error, $errno)
        {
                die ("Memcache error '$host' '$tcpPort' '$udpPort' '$error' '$errno'\n");
        }

?>


Expected result:
----------------
Warning: Wrong parameter count for MemcachePool::set() in /home/jakob/src/testmc2.php on line 9


Actual result:
--------------
Segmentation fault


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-25 16:57 UTC] mikael at synd dot info
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC