diff options
Diffstat (limited to 'php-pecl-memcache-3.0.5-get-mem-corrupt.patch')
| -rw-r--r-- | php-pecl-memcache-3.0.5-get-mem-corrupt.patch | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/php-pecl-memcache-3.0.5-get-mem-corrupt.patch b/php-pecl-memcache-3.0.5-get-mem-corrupt.patch new file mode 100644 index 0000000..0b7c66c --- /dev/null +++ b/php-pecl-memcache-3.0.5-get-mem-corrupt.patch @@ -0,0 +1,89 @@ +From 6e09e8db8d36de6a5020f5d517f62a8c16af8222 Mon Sep 17 00:00:00 2001 +From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com> +Date: Mon, 17 Oct 2011 16:17:51 +0200 +Subject: [PATCH] fix get/unserialize memory corruption + +Possible memory corruption (and segfault) after unserialising objects: +<?php +$obj = new StdClass; +$obj->obj = $obj; +$memcache = new Memcache; +$memcache->connect('127.0.0.1', 11211); +$memcache->set('x', $obj, false, 300); +$x = $memcache->get('x'); +$x = $memcache->get('x'); +$x = $memcache->get('x'); +$x = $memcache->get('x'); +$x = $memcache->get('x'); + +Patch by Paul Clifford. + +--- + memcache-3.0.5/memcache_pool.c | 15 +++++++-------- + 1 files changed, 7 insertions(+), 8 deletions(-) + +diff --git memcache-3.0.5/memcache_pool.c memcache-3.0.5/memcache_pool.c +index 420a773..e89ebce 100644 +--- memcache-3.0.5/memcache_pool.c ++++ memcache-3.0.5/memcache_pool.c +@@ -422,8 +422,8 @@ int mmc_unpack_value( + char *data = NULL; + unsigned long data_len; + +- zval value; +- INIT_ZVAL(value); ++ zval *object; ++ ALLOC_INIT_ZVAL(object); + + if (flags & MMC_COMPRESSED) { + if (mmc_uncompress(buffer->value.c, bytes, &data, &data_len) != MMC_OK) { +@@ -439,7 +439,6 @@ int mmc_unpack_value( + if (flags & MMC_SERIALIZED) { + php_unserialize_data_t var_hash; + const unsigned char *p = (unsigned char *)data; +- zval *object = &value; + + char key_tmp[MMC_MAX_KEY_LEN + 1]; + mmc_request_value_handler value_handler; +@@ -495,7 +494,7 @@ int mmc_unpack_value( + long val; + data[data_len] = '\0'; + val = strtol(data, NULL, 10); +- ZVAL_LONG(&value, val); ++ ZVAL_LONG(object, val); + break; + } + +@@ -503,17 +502,17 @@ int mmc_unpack_value( + double val = 0; + data[data_len] = '\0'; + sscanf(data, "%lg", &val); +- ZVAL_DOUBLE(&value, val); ++ ZVAL_DOUBLE(object, val); + break; + } + + case MMC_TYPE_BOOL: +- ZVAL_BOOL(&value, data_len == 1 && data[0] == '1'); ++ ZVAL_BOOL(object, data_len == 1 && data[0] == '1'); + break; + + default: + data[data_len] = '\0'; +- ZVAL_STRINGL(&value, data, data_len, 0); ++ ZVAL_STRINGL(object, data, data_len, 0); + + if (!(flags & MMC_COMPRESSED)) { + /* release buffer because it's now owned by the zval */ +@@ -522,7 +521,7 @@ int mmc_unpack_value( + } + + /* delegate to value handler */ +- return request->value_handler(key, key_len, &value, flags, cas, request->value_handler_param TSRMLS_CC); ++ return request->value_handler(key, key_len, object, flags, cas, request->value_handler_param TSRMLS_CC); + } + } + /* }}}*/ +-- +1.7.6.2 + |