|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2010-04-03 11:41 UTC] tony at daylessday dot org
[2010-04-03 15:05 UTC] hradtke@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Jul 13 13:01:32 2025 UTC |
Description: ------------ PHP crashes when $weight parameter to Memcache::addServer() is 0. Tested on Memcache 3.0.4 Reproduce code: --------------- <?php $m = new Memcache(); $m->addServer('127.0.0.1', 11211, true, 0); $m->get('test'); ?> The crash happens when $weight parameter to Memcache::addServer() is zero. Patch against memcache-3.0.4/memcache.c: --- memcache.c.orig 2009-02-22 18:01:43.000000000 +0200 +++ memcache.c 2010-03-29 15:54:05.000000000 +0300 @@ -762,7 +762,7 @@ mmc_t *mmc; int list_id, resource_type; - if (weight < 0) { + if (weight <= 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "weight must be a positive integer"); return NULL; } Expected result: ---------------- Error message Actual result: -------------- #0 mmc_open (mmc=0x563e159d612155fb, force_connect=0, error_string=0x0, errnum=0x0) at /tmp/pear/temp/memcache/memcache.c:1007 No locals. #1 0x00007fa354162975 in mmc_standard_find_server (s=0x1337900, key=0x7ffff3464420 "test", key_len=4) at /tmp/pear/temp/memcache/memcache_standard_hash.c:89 mmc = 0x563e159d612155fb #2 0x00007fa354160998 in mmc_exec_retrieval_cmd (pool=0x1337890, key=0x7ffff3464420 "test", key_len=4, return_value=0x7ffff3464298, return_flags=<value optimized out>) at /tmp/pear/temp/memcache/memcache.c:1279 mmc = 0x7fa35985b068 command = 0x1337758 "get test" value = 0x7fa3597de445 "I\211\303L\213L$0L\213D$(H\213|$ H\213t$\030H\213T$\020H\213L$\bH\213\004$H\203\304HA\377\343ffffff.\017\037\204" result = -1 command_len = 8 response_len = <value optimized out> value_len = 32767 flags = 0 #3 0x00007fa354161157 in zif_memcache_get (ht=<value optimized out>, return_value=0x1335ce0, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>) at /tmp/pear/temp/memcache/memcache.c:2349 pool = 0x1337890 zkey = 0x1335d30 mmc_object = 0x1335d80 flags = 0x0 key = "test\000\000\000\000\200\245\025T\243\177\000\000\240\332\r\001\000\000\000\000WZk\000\000\000\000\000\200{3\001\000\000\000\000\200{3\001", '\000' <repeats 20 times>"\240, \310\065\001\000\000\000\000\000y3\001\000\000\000\000p\366@\000\000\000\000\000(\241\236Y\243\177\000\000\300v3\001\000\000\000\000\377\377\377\377\000\000\000\000\300v3\001\000\000\000\000\005\000\000\000\000\000\000\000\000T\"", '\000' <repeats 13 times>, "\024\000\000\000\000\000\000\000\300v3\001\000\000\000\000\000\000\251R\243\177\000\000\241w}Y\243\177\000\000\005\000\000\000\377\177\000\000\000\000\000\000\000\000\000\000Hs3\001\000\000\000\000p\366@\000\000\000\000\000\260EF\363\377\177\000\000\020w3\001\000\000\000\000h\260\205Y\243\177\000\000\001", '\000' <repeats 15 times>, "E", <incomplete sequence \344> key_len = 4 #4 0x00007fa352aa8314 in ?? () from /usr/lib/php5/20090626/suhosin.so No symbol table info available. #5 0x00000000006e5a36 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fa35985b068) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:315 opline = 0x1337228 should_change_scope = 192 '\300' #6 0x00000000006bcf00 in execute (op_array=0x1336750) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:104 ret = 20151208 execute_data = 0x7fa35985b068 nested = 255 '\377' original_in_execution = 0 '\000' #7 0x00007fa352aa8836 in ?? () from /usr/lib/php5/20090626/suhosin.so No symbol table info available. #8 0x0000000000694c2d in zend_execute_scripts (type=0, retval=0x7ffff3464870, file_count=3) at /build/buildd/php5-5.3.2/Zend/zend.c:1266 files = {{gp_offset = 0, fp_offset = 0, overflow_arg_area = 0x28, reg_save_area = 0x7ffff3464900}} i = 1 file_handle = 0x7ffff3466de0 orig_op_array = 0x0 orig_retval_ptr_ptr = 0xd8fc30 #9 0x0000000000640898 in php_execute_script (primary_file=0x7fa357460300) at /build/buildd/php5-5.3.2/main/main.c:2288 __orig_bailout = 0x7fa3571187ca __bailout = {{__jmpbuf = {4081465264, 32767, 0, 0, 19755440, 0, 0, 0}, __mask_was_saved = 3, __saved_mask = {__val = {0, 3, 1464206208, 32675, 4081465272, 32767, 4081473488, 32767, 1464206160, 32675, 4081465271, 32767, 1464206200, 32675, 0, 0}}}} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x7ffff3468512 "/var/www/sjinks.org.ua/test/crash.php", opened_path = 0x0, handle = {fd = 1461050963, fp = 0x7fa35715de53, stream = {handle = 0x7fa35715de53, isatty = -213482222, mmap = {len = 4081465536, pos = 0, map = 0x7ffff3468512, buf = 0x7ffff3465b10 "/var/www/sjinks.org.ua/test/crash.php", old_handle = 0x647b66, old_closer = 0x135c8a0}, reader = 0x25, fsizer = 0x7ffff3463e00, closer = 0x7ffff3463e88}}, free_filename = 181 '\265'} append_file = {type = 64, filename = 0x2 <Address 0x2 out of bounds>, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 1464196672, pos = 1, map = 0x1, buf = 0x0, old_handle = 0x7ffff3468512, old_closer = 0}, reader = 0x7fa35715c58e <*__GI___libc_malloc+110>, fsizer = 0, closer = 0x7fa35745de40 <main_arena>}}, free_filename = 37 '%'} retval = 0 #10 0x0000000000724dc3 in main (argc=0, argv=0x0) at /build/buildd/php5-5.3.2/sapi/cli/php_cli.c:1196 __bailout = {{__jmpbuf = {0, 0, 110, 0, 1909204408, 3276572298, 14113264, 0}, __mask_was_saved = -1500895816, __saved_mask = {__val = {0, 32767, 23, 0, 20233565, 0, 1501377655, 32675, 158, 1, 316149, 0, 29, 32767, 1452387024, 32675}}}} exit_status = 1 c = 20151208 file_handle = {type = 1503568168, filename = 0x7fa300000004 <Address 0x7fa300000004 out of bounds>, opened_path = 0x7ffff3468512 "/var/www/sjinks.org.ua/test/crash.php", handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 20146880, mmap = {len = 0, pos = 94, map = 0x0, buf = 0x7fa3599e1000 <Address 0x7fa3599e1000 out of bounds>, old_handle = 0x7fa3599e1000, old_closer = 0x135c2b0}, reader = 0x6aa750 <zend_stream_stdio_closer>, fsizer = 0x6aad90 <zend_stream_stdio_reader>, closer = 0x6aa810 <zend_stream_stdio_fsizer>}}, free_filename = 16 '\020'} behavior = 1 reflection_what = 0x0 orig_optind = 0 orig_optarg = 0x0 arg_excp = 0x7ffff3466fa0 script_file = 0x7ffff3468512 "/var/www/sjinks.org.ua/test/crash.php" interactive = -213482222 module_started = 1 request_started = 0 lineno = 4361195 exec_direct = 0x0 exec_run = 0x2570e1ce8 <Address 0x2570e1ce8 out of bounds> exec_begin = 0x1570e3c28 <Address 0x1570e3c28 out of bounds> exec_end = 0x7ffff3466f98 "\016\205F\363\377\177" hide_argv = 0