php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59456 zend_parse_parameters is called with key_len defined as size_t
Submitted: 2010-10-11 06:51 UTC Modified: -
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: gerhardus1 at gmail dot com Assigned:
Status: Open Package: memcached (PECL)
PHP Version: 5.3.2 OS: SLES 11 SP1 PPC64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-10-11 06:51 UTC] gerhardus1 at gmail dot com
Description:
------------
In php_memc_get_impl (php_memcached.c) zend_parse_parameters 
is called with parameter &key_len. Zend expects this to be a 
pointer to an int and in the code it is a pointer to a 
size_t. These types are different lengths on PPC64 and causes 
a segmentation error.  I add the patch for a suggested fix. 
Since libmemcached expects a pointer to a size_t length it is 
not possible to only change the definition of key_len.



Reproduce code:
---------------
--- memcached-1.0.2/php_memcached.c     1970-01-01 11:13:08.000000000 +0200                        
+++ memcached-1.0.2-fixed/php_memcached.c       2010-10-11 12:01:05.000000000 +0200                
@@ -334,6 +334,7 @@                                                                                
 {                                                                                                 
        char *key = NULL;                                                                          
        size_t key_len = 0;                                                                        
+       int zkey_len = 0;         // zend_parse_parameters needs an int*                
        char *server_key = NULL;                                                                   
        int   server_key_len = 0;                                                                  
        char  *payload = NULL;
@@ -349,11 +350,11 @@

        if (by_key) {
                if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|f!z", &server_key,
-                                                                 &server_key_len, &key, &key_len, &fci, &fcc, &cas_token) == FAILURE) {
+                                                                 &server_key_len, &key, &zkey_len, &fci, &fcc, &cas_token) == FAILURE) {
                        return;
                }
        } else {
-               if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|f!z", &key, &key_len,
+               if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|f!z", &key, &zkey_len,
                                                                  &fci, &fcc, &cas_token) == FAILURE) {
                        return;
                }
@@ -361,7 +362,7 @@

        MEMC_METHOD_FETCH_OBJECT;
        MEMC_G(rescode) = MEMCACHED_SUCCESS;
-
+       key_len = zkey_len;
        if (key_len == 0) {
                MEMC_G(rescode) = MEMCACHED_BAD_KEY_PROVIDED;
                RETURN_FALSE;



Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Apr 24 06:01:27 2019 UTC