php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55750 memory copy issue in sysvshm extension
Submitted: 2011-09-21 06:03 UTC Modified: 2011-10-03 18:16 UTC
From: jeffhuang9999 at gmail dot com Assigned: iliaa
Status: Closed Package: *General Issues
PHP Version: 5.4SVN-2011-09-21 (snap) OS: Linux
Private report: No CVE-ID:
 [2011-09-21 06:03 UTC] jeffhuang9999 at gmail dot com
Description:
------------
In the function php_remove_shm_data() in ext/sysvshm/sysvshm.c, memcpy() is used for copying a piece of data from next_chunk_ptr to chunk_ptr.  If there is an memory overlap between the source and the destination, using memcpy() could result in unexpected result.


Test script:
---------------
NA


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-21 06:04 UTC] jeffhuang9999 at gmail dot com
Patch:

--- ext/sysvshm/sysvshm.c
+++ ext/sysvshm/sysvshm.c
@@ -424,7 +424,7 @@
        ptr->free += chunk_ptr->next;
        ptr->end -= chunk_ptr->next;
        if (memcpy_len > 0) {
-               memcpy(chunk_ptr, next_chunk_ptr, memcpy_len);
+               memmove(chunk_ptr, next_chunk_ptr, memcpy_len);
        }
        return 0;
 }
 [2011-10-03 18:16 UTC] iliaa@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=317673
Log: Fixed bug #55750 (memory copy issue in sysvshm extension).
 [2011-10-03 18:16 UTC] iliaa@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: iliaa
 [2011-10-03 18:16 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:48 UTC] laruence@php.net
Automatic comment on behalf of iliaa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75bdf86d61cb0f01aa0da7e99819d88d927d69f3
Log: Fixed bug #55750 (memory copy issue in sysvshm extension).
 [2012-07-24 23:39 UTC] rasmus@php.net
Automatic comment on behalf of iliaa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75bdf86d61cb0f01aa0da7e99819d88d927d69f3
Log: Fixed bug #55750 (memory copy issue in sysvshm extension).
 [2013-11-17 09:36 UTC] laruence@php.net
Automatic comment on behalf of iliaa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75bdf86d61cb0f01aa0da7e99819d88d927d69f3
Log: Fixed bug #55750 (memory copy issue in sysvshm extension).
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 07:02:02 2014 UTC