php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58301 [PATCH] off-by-one causes corrupted arrays in 3.0.x
Submitted: 2008-08-05 17:33 UTC Modified: 2008-09-11 14:37 UTC
From: pecl at pureftpd dot org Assigned:
Status: Closed Package: memcache (PECL)
PHP Version: Irrelevant OS: any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pecl at pureftpd dot org
New email:
PHP Version: OS:

 

 [2008-08-05 17:33 UTC] pecl at pureftpd dot org
Description:
------------
Hello,

Keys are not properly duplicated in the NON_BLOCKING_IO 
branch. When arrays are created in mmc_value_handler_multi(), 
the keys are corrupted.

Try the test code below, while PHP is compiled as an Apache 
module (by chance, it's more difficult to reproduce with php-
fpm or cli).



Reproduce code:
---------------
error_reporting(E_ALL);

$mcp = new MemcachePool();
$mcp->addServer('127.0.0.1');
$mcp->set('key', 'value');
$v = $mcp->get(array('key'));
print_r($v['key']);


(thanks to Patrice Damezin for the test case)

Expected result:
----------------
This is a multi-key operation. We actually get an array as a 
result in $v.

var_dump($v) shows that it actually is an associative array, 
with a key that seems to be 'key'.

But trying to lookup $v['key'] produces an error.



Here's a patch to fix this:

diff -u -r1.1.2.27 memcache_pool.c
--- memcache_pool.c     25 Jun 2008 20:16:57 -0000      
1.1.2.27
+++ memcache_pool.c     5 Aug 2008 21:32:29 -0000
@@ -396,13 +396,13 @@
                const unsigned char *p = (unsigned char 
*)data;
                zval *object = &value;
 
-               char key_tmp[MMC_MAX_KEY_LEN]; 
+               char key_tmp[MMC_MAX_KEY_LEN + 1];
                mmc_request_value_handler value_handler;
                void *value_handler_param;
                mmc_buffer_t buffer_tmp;
 
                /* make copies of data to ensure re-entrancy 
*/
-               memcpy(key_tmp, key, key_len);
+               memcpy(key_tmp, key, key_len + 1);
                value_handler = request->value_handler;
                value_handler_param = request-
>value_handler_param;
 


Actual result:
--------------
Notice: Undefined index:  key in /tmp/a.php on line 6

A funny way to fix this:

$v = unserialize(serialize($v))



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-09-11 14:37 UTC] mikael at synd dot info
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC