PHP :: Bug #58236 :: No check for parameter count in php_mmc

Bug #58236	No check for parameter count in php_mmc_store
Submitted:	2008-06-16 20:40 UTC	Modified:	2008-06-25 16:57 UTC
From:	nicolas at netlog dot com	Assigned:
Status:	Closed	Package:	memcache (PECL)
PHP Version:	5.2.5	OS:	debian
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nicolas at netlog dot com
New email:
PHP Version:		OS:

New Comment:

[2008-06-16 20:40 UTC] nicolas at netlog dot com

Description:
------------
The function php_mmc_store doesn't check for required parameters, just segfaults.

In fact, parameter checking isn't done on some other functions too.

PS: I can't select PHP 5.2.6 which I'm using, so that's why I selected 5.2.5.

Fix:
poison@netlog:/usr/src$ diff -ruN memcache-3.0.1-orig/memcache.c  memcache-3.0.1/memcache.c 
--- memcache-3.0.1-orig/memcache.c      2008-02-05 21:00:12.000000000 +0100
+++ memcache-3.0.1/memcache.c   2008-06-17 02:26:49.000000000 +0200
@@ -380,11 +380,13 @@
        long flags = 0, exptime = 0, cas = 0;
 
        if (mmc_object == NULL) {
+               if(ZEND_NUM_ARGS() < 3) WRONG_PARAM_COUNT;
                if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Oz|zlll", &mmc_object, memcache_pool_ce, &keys, &value, &flags, &exptime, &cas) == FAILURE) {
                        return;
                }
        }
        else {
+               if(ZEND_NUM_ARGS() < 2) WRONG_PARAM_COUNT;
                if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z|zlll", &keys, &value, &flags, &exptime, &cas) == FAILURE) {
                        return;
                }


Reproduce code:
---------------
<?php

        $mc = new Memcache ();
        if ($mc->addServer ('netlog', 11211, TRUE, 1, 1, 1, TRUE, '__errorCallback') === FALSE)
        {
                die ("Unable to connect\n");
        }

        $mc->set ('key');

        function __errorCallback ($host, $tcpPort, $udpPort, $error, $errno)
        {
                die ("Memcache error '$host' '$tcpPort' '$udpPort' '$error' '$errno'\n");
        }

?>


Expected result:
----------------
Warning: Wrong parameter count for MemcachePool::set() in /home/jakob/src/testmc2.php on line 9


Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-06-25 16:57 UTC] mikael at synd dot info

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 06:00:02 2025 UTC