php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65334 Segfault if uncompress value failed
Submitted: 2013-07-25 12:01 UTC Modified: 2016-08-08 04:03 UTC
Votes:5
Avg. Score:3.0 ± 1.3
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: laruence@php.net Assigned: laruence (profile)
Status: Closed Package: memcached (PECL)
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2013-07-25 12:01 UTC] laruence@php.net
Description:
------------
the codes is obviously wrong

if the php_memc_zval_from_payload return -1, the value's type is unitialized 
value.


so the patch is:


diff --git a/php_memcached.c b/php_memcached.c
index bf3037c..6ae3147 100644
--- a/php_memcached.c
+++ b/php_memcached.c
@@ -784,7 +784,7 @@ static void 
php_memc_getMulti_impl(INTERNAL_FUNCTION_PARAMETERS, zend_bool by_ke
 		MAKE_STD_ZVAL(value);

 		if (php_memc_zval_from_payload(value, payload, payload_len, flags, 
m_obj->serializer TSRMLS_CC) < 0) {
-			zval_ptr_dtor(&value);
+			efree(value);
 			if (EG(exception)) {
 				status = MEMC_RES_PAYLOAD_FAILURE;
 				php_memc_handle_error(i_obj, status TSRMLS_CC);


Patches

bug65334.patch (last revision 2013-07-26 03:22 UTC by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-25 12:03 UTC] laruence@php.net
-Assigned To: +Assigned To: andrei
 [2013-07-25 12:03 UTC] laruence@php.net
@andrei, we met this bug, if no objections,  I can ci it for you :)

thanks
 [2013-07-25 12:05 UTC] laruence@php.net
maybe this patch is better:

$ git diff
diff --git a/php_memcached.c b/php_memcached.c
index bf3037c..677858c 100644
--- a/php_memcached.c
+++ b/php_memcached.c
@@ -2604,6 +2604,7 @@ static int php_memc_zval_from_payload(zval *value, char 
*payload, size_t payload
 	if (payload == NULL && payload_len > 0) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING,
 			"Could not handle non-existing value of length %zu", 
payload_len);
+		ZVAL_NULL(value);
 		return -1;
 	} else if (payload == NULL) {
 		if (MEMC_VAL_GET_TYPE(flags) == MEMC_VAL_IS_BOOL) {
@@ -2654,6 +2655,7 @@ static int php_memc_zval_from_payload(zval *value, char 
*payload, size_t payload

 		if (!decompress_status) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "could not 
decompress value");
+			ZVAL_NULL(value);
 			efree(buffer);
 			return -1;
 		}
 [2013-07-25 13:38 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug65334.patch
Revision:   1374759531
URL:        https://bugs.php.net/patch-display.php?bug=65334&patch=bug65334.patch&revision=1374759531
 [2013-07-25 13:40 UTC] laruence@php.net
patch attached as a file, and use ZVAL_FALSE to be consistent..

thanks
 [2013-07-26 03:22 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug65334.patch
Revision:   1374808971
URL:        https://bugs.php.net/patch-display.php?bug=65334&patch=bug65334.patch&revision=1374808971
 [2016-08-06 00:33 UTC] kalle@php.net
-Assigned To: andrei +Assigned To: laruence
 [2016-08-06 00:33 UTC] kalle@php.net
Hi Xinchen

Since development of the extension seems to go on github, it might be worth re-posting it there!

https://github.com/php-memcached-dev/php-memcached
 [2016-08-08 04:03 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2016-08-08 04:03 UTC] laruence@php.net
this should be fixed already. thanks :)
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Nov 28 09:01:23 2020 UTC