php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59456 zend_parse_parameters is called with key_len defined as size_t
Submitted: 2010-10-11 06:51 UTC Modified: 2021-06-09 11:26 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: gerhardus1 at gmail dot com Assigned: cmb (profile)
Status: Closed Package: memcached (PECL)
PHP Version: 5.3.2 OS: SLES 11 SP1 PPC64
Private report: No CVE-ID: None
 [2010-10-11 06:51 UTC] gerhardus1 at gmail dot com
Description:
------------
In php_memc_get_impl (php_memcached.c) zend_parse_parameters 
is called with parameter &key_len. Zend expects this to be a 
pointer to an int and in the code it is a pointer to a 
size_t. These types are different lengths on PPC64 and causes 
a segmentation error.  I add the patch for a suggested fix. 
Since libmemcached expects a pointer to a size_t length it is 
not possible to only change the definition of key_len.



Reproduce code:
---------------
--- memcached-1.0.2/php_memcached.c     1970-01-01 11:13:08.000000000 +0200                        
+++ memcached-1.0.2-fixed/php_memcached.c       2010-10-11 12:01:05.000000000 +0200                
@@ -334,6 +334,7 @@                                                                                
 {                                                                                                 
        char *key = NULL;                                                                          
        size_t key_len = 0;                                                                        
+       int zkey_len = 0;         // zend_parse_parameters needs an int*                
        char *server_key = NULL;                                                                   
        int   server_key_len = 0;                                                                  
        char  *payload = NULL;
@@ -349,11 +350,11 @@

        if (by_key) {
                if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|f!z", &server_key,
-                                                                 &server_key_len, &key, &key_len, &fci, &fcc, &cas_token) == FAILURE) {
+                                                                 &server_key_len, &key, &zkey_len, &fci, &fcc, &cas_token) == FAILURE) {
                        return;
                }
        } else {
-               if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|f!z", &key, &key_len,
+               if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|f!z", &key, &zkey_len,
                                                                  &fci, &fcc, &cas_token) == FAILURE) {
                        return;
                }
@@ -361,7 +362,7 @@

        MEMC_METHOD_FETCH_OBJECT;
        MEMC_G(rescode) = MEMCACHED_SUCCESS;
-
+       key_len = zkey_len;
        if (key_len == 0) {
                MEMC_G(rescode) = MEMCACHED_BAD_KEY_PROVIDED;
                RETURN_FALSE;



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-06-09 11:26 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-06-09 11:26 UTC] cmb@php.net
The memcached bug tracker is now on Github[1].  If this is still
an issue with the current memcached version, please report there.

[1] <https://github.com/php-memcached-dev/php-memcached/issues>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 07 14:01:28 2024 UTC