php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch php-pecl-memcache-3.0.5-get-mem-corrupt.patch for memcache Bug #63142

Patch version 2012-09-23 06:49 UTC

Return to Bug #63142 | Download this patch
Patch Revisions:

Developer: remi@php.net

From 6e09e8db8d36de6a5020f5d517f62a8c16af8222 Mon Sep 17 00:00:00 2001
From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
Date: Mon, 17 Oct 2011 16:17:51 +0200
Subject: [PATCH] fix get/unserialize memory corruption

Possible memory corruption (and segfault) after unserialising objects:
<?php
$obj = new StdClass;
$obj->obj = $obj;
$memcache = new Memcache;
$memcache->connect('127.0.0.1', 11211);
$memcache->set('x', $obj, false, 300);
$x = $memcache->get('x');
$x = $memcache->get('x');
$x = $memcache->get('x');
$x = $memcache->get('x');
$x = $memcache->get('x');

Patch by Paul Clifford.

---
 memcache-3.0.5/memcache_pool.c |   15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

diff --git memcache-3.0.5/memcache_pool.c memcache-3.0.5/memcache_pool.c
index 420a773..e89ebce 100644
--- memcache-3.0.5/memcache_pool.c
+++ memcache-3.0.5/memcache_pool.c
@@ -422,8 +422,8 @@ int mmc_unpack_value(
 	char *data = NULL;
 	unsigned long data_len;
 
-	zval value;
-	INIT_ZVAL(value);
+	zval *object;
+	ALLOC_INIT_ZVAL(object);
 
 	if (flags & MMC_COMPRESSED) {
 		if (mmc_uncompress(buffer->value.c, bytes, &data, &data_len) != MMC_OK) {
@@ -439,7 +439,6 @@ int mmc_unpack_value(
 	if (flags & MMC_SERIALIZED) {
 		php_unserialize_data_t var_hash;
 		const unsigned char *p = (unsigned char *)data;
-		zval *object = &value;
 
 		char key_tmp[MMC_MAX_KEY_LEN + 1];
 		mmc_request_value_handler value_handler;
@@ -495,7 +494,7 @@ int mmc_unpack_value(
 				long val;
 				data[data_len] = '\0';
 				val = strtol(data, NULL, 10);
-				ZVAL_LONG(&value, val);
+				ZVAL_LONG(object, val);
 				break;
 			}
 
@@ -503,17 +502,17 @@ int mmc_unpack_value(
 				double val = 0;
 				data[data_len] = '\0';
 				sscanf(data, "%lg", &val);
-				ZVAL_DOUBLE(&value, val);
+				ZVAL_DOUBLE(object, val);
 				break;
 			}
 
 			case MMC_TYPE_BOOL:
-				ZVAL_BOOL(&value, data_len == 1 && data[0] == '1');
+				ZVAL_BOOL(object, data_len == 1 && data[0] == '1');
 				break;
 
 			default:
 				data[data_len] = '\0';
-				ZVAL_STRINGL(&value, data, data_len, 0);
+				ZVAL_STRINGL(object, data, data_len, 0);
 
 				if (!(flags & MMC_COMPRESSED)) {
 					/* release buffer because it's now owned by the zval */
@@ -522,7 +521,7 @@ int mmc_unpack_value(
 		}
 
 		/* delegate to value handler */
-		return request->value_handler(key, key_len, &value, flags, cas, request->value_handler_param TSRMLS_CC);
+		return request->value_handler(key, key_len, object, flags, cas, request->value_handler_param TSRMLS_CC);
 	}
 }
 /* }}}*/
-- 
1.7.6.2

 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon May 17 09:01:24 2021 UTC