diff options
Diffstat (limited to 'php-pecl-memcache-3.0.5-get-mem-corrupt.patch')
-rw-r--r-- | php-pecl-memcache-3.0.5-get-mem-corrupt.patch | 89 |
1 files changed, 0 insertions, 89 deletions
diff --git a/php-pecl-memcache-3.0.5-get-mem-corrupt.patch b/php-pecl-memcache-3.0.5-get-mem-corrupt.patch deleted file mode 100644 index 0b7c66c..0000000 --- a/php-pecl-memcache-3.0.5-get-mem-corrupt.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 6e09e8db8d36de6a5020f5d517f62a8c16af8222 Mon Sep 17 00:00:00 2001 -From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com> -Date: Mon, 17 Oct 2011 16:17:51 +0200 -Subject: [PATCH] fix get/unserialize memory corruption - -Possible memory corruption (and segfault) after unserialising objects: -<?php -$obj = new StdClass; -$obj->obj = $obj; -$memcache = new Memcache; -$memcache->connect('127.0.0.1', 11211); -$memcache->set('x', $obj, false, 300); -$x = $memcache->get('x'); -$x = $memcache->get('x'); -$x = $memcache->get('x'); -$x = $memcache->get('x'); -$x = $memcache->get('x'); - -Patch by Paul Clifford. - ---- - memcache-3.0.5/memcache_pool.c | 15 +++++++-------- - 1 files changed, 7 insertions(+), 8 deletions(-) - -diff --git memcache-3.0.5/memcache_pool.c memcache-3.0.5/memcache_pool.c -index 420a773..e89ebce 100644 ---- memcache-3.0.5/memcache_pool.c -+++ memcache-3.0.5/memcache_pool.c -@@ -422,8 +422,8 @@ int mmc_unpack_value( - char *data = NULL; - unsigned long data_len; - -- zval value; -- INIT_ZVAL(value); -+ zval *object; -+ ALLOC_INIT_ZVAL(object); - - if (flags & MMC_COMPRESSED) { - if (mmc_uncompress(buffer->value.c, bytes, &data, &data_len) != MMC_OK) { -@@ -439,7 +439,6 @@ int mmc_unpack_value( - if (flags & MMC_SERIALIZED) { - php_unserialize_data_t var_hash; - const unsigned char *p = (unsigned char *)data; -- zval *object = &value; - - char key_tmp[MMC_MAX_KEY_LEN + 1]; - mmc_request_value_handler value_handler; -@@ -495,7 +494,7 @@ int mmc_unpack_value( - long val; - data[data_len] = '\0'; - val = strtol(data, NULL, 10); -- ZVAL_LONG(&value, val); -+ ZVAL_LONG(object, val); - break; - } - -@@ -503,17 +502,17 @@ int mmc_unpack_value( - double val = 0; - data[data_len] = '\0'; - sscanf(data, "%lg", &val); -- ZVAL_DOUBLE(&value, val); -+ ZVAL_DOUBLE(object, val); - break; - } - - case MMC_TYPE_BOOL: -- ZVAL_BOOL(&value, data_len == 1 && data[0] == '1'); -+ ZVAL_BOOL(object, data_len == 1 && data[0] == '1'); - break; - - default: - data[data_len] = '\0'; -- ZVAL_STRINGL(&value, data, data_len, 0); -+ ZVAL_STRINGL(object, data, data_len, 0); - - if (!(flags & MMC_COMPRESSED)) { - /* release buffer because it's now owned by the zval */ -@@ -522,7 +521,7 @@ int mmc_unpack_value( - } - - /* delegate to value handler */ -- return request->value_handler(key, key_len, &value, flags, cas, request->value_handler_param TSRMLS_CC); -+ return request->value_handler(key, key_len, object, flags, cas, request->value_handler_param TSRMLS_CC); - } - } - /* }}}*/ --- -1.7.6.2 - |