php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65334 Segfault if uncompress value failed
Submitted: 2013-07-25 12:01 UTC Modified: 2016-08-08 04:03 UTC
Votes:5
Avg. Score:3.0 ± 1.3
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: laruence@php.net Assigned: laruence (profile)
Status: Closed Package: memcached (PECL)
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: laruence@php.net
New email:
PHP Version: OS:

 

 [2013-07-25 12:01 UTC] laruence@php.net 
Description:
------------
the codes is obviously wrong

if the php_memc_zval_from_payload return -1, the value's type is unitialized 
value.


so the patch is:


diff --git a/php_memcached.c b/php_memcached.c
index bf3037c..6ae3147 100644
--- a/php_memcached.c
+++ b/php_memcached.c
@@ -784,7 +784,7 @@ static void 
php_memc_getMulti_impl(INTERNAL_FUNCTION_PARAMETERS, zend_bool by_ke
 		MAKE_STD_ZVAL(value);

 		if (php_memc_zval_from_payload(value, payload, payload_len, flags, 
m_obj->serializer TSRMLS_CC) < 0) {
-			zval_ptr_dtor(&value);
+			efree(value);
 			if (EG(exception)) {
 				status = MEMC_RES_PAYLOAD_FAILURE;
 				php_memc_handle_error(i_obj, status TSRMLS_CC);

Patches

bug65334.patch (last revision 2013-07-26 03:22 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-25 12:03 UTC] laruence@php.net
-Assigned To: +Assigned To: andrei
 [2013-07-25 12:03 UTC] laruence@php.net 
@andrei, we met this bug, if no objections,  I can ci it for you :)

thanks
 [2013-07-25 12:05 UTC] laruence@php.net 
maybe this patch is better:

$ git diff
diff --git a/php_memcached.c b/php_memcached.c
index bf3037c..677858c 100644
--- a/php_memcached.c
+++ b/php_memcached.c
@@ -2604,6 +2604,7 @@ static int php_memc_zval_from_payload(zval *value, char 
*payload, size_t payload
 	if (payload == NULL && payload_len > 0) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING,
 			"Could not handle non-existing value of length %zu", 
payload_len);
+		ZVAL_NULL(value);
 		return -1;
 	} else if (payload == NULL) {
 		if (MEMC_VAL_GET_TYPE(flags) == MEMC_VAL_IS_BOOL) {
@@ -2654,6 +2655,7 @@ static int php_memc_zval_from_payload(zval *value, char 
*payload, size_t payload

 		if (!decompress_status) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "could not 
decompress value");
+			ZVAL_NULL(value);
 			efree(buffer);
 			return -1;
 		}
 [2013-07-25 13:38 UTC] laruence@php.net 
The following patch has been added/updated:

Patch Name: bug65334.patch
Revision:   1374759531
URL:        https://bugs.php.net/patch-display.php?bug=65334&patch=bug65334.patch&revision=1374759531
 [2013-07-25 13:40 UTC] laruence@php.net 
patch attached as a file, and use ZVAL_FALSE to be consistent..

thanks
 [2013-07-26 03:22 UTC] laruence@php.net 
The following patch has been added/updated:

Patch Name: bug65334.patch
Revision:   1374808971
URL:        https://bugs.php.net/patch-display.php?bug=65334&patch=bug65334.patch&revision=1374808971
 [2016-08-06 00:33 UTC] kalle@php.net
-Assigned To: andrei +Assigned To: laruence
 [2016-08-06 00:33 UTC] kalle@php.net 
Hi Xinchen

Since development of the extension seems to go on github, it might be worth re-posting it there!

https://github.com/php-memcached-dev/php-memcached
 [2016-08-08 04:03 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2016-08-08 04:03 UTC] laruence@php.net 
this should be fixed already. thanks :)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC