summaryrefslogtreecommitdiffstats
path: root/php-pecl-memcache-3.0.5-get-mem-corrupt.patch
blob: 0b7c66c3450f0983f3885f65593b5d85cbbce880 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
From 6e09e8db8d36de6a5020f5d517f62a8c16af8222 Mon Sep 17 00:00:00 2001
From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
Date: Mon, 17 Oct 2011 16:17:51 +0200
Subject: [PATCH] fix get/unserialize memory corruption

Possible memory corruption (and segfault) after unserialising objects:
<?php
$obj = new StdClass;
$obj->obj = $obj;
$memcache = new Memcache;
$memcache->connect('127.0.0.1', 11211);
$memcache->set('x', $obj, false, 300);
$x = $memcache->get('x');
$x = $memcache->get('x');
$x = $memcache->get('x');
$x = $memcache->get('x');
$x = $memcache->get('x');

Patch by Paul Clifford.

---
 memcache-3.0.5/memcache_pool.c |   15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

diff --git memcache-3.0.5/memcache_pool.c memcache-3.0.5/memcache_pool.c
index 420a773..e89ebce 100644
--- memcache-3.0.5/memcache_pool.c
+++ memcache-3.0.5/memcache_pool.c
@@ -422,8 +422,8 @@ int mmc_unpack_value(
 	char *data = NULL;
 	unsigned long data_len;
 
-	zval value;
-	INIT_ZVAL(value);
+	zval *object;
+	ALLOC_INIT_ZVAL(object);
 
 	if (flags & MMC_COMPRESSED) {
 		if (mmc_uncompress(buffer->value.c, bytes, &data, &data_len) != MMC_OK) {
@@ -439,7 +439,6 @@ int mmc_unpack_value(
 	if (flags & MMC_SERIALIZED) {
 		php_unserialize_data_t var_hash;
 		const unsigned char *p = (unsigned char *)data;
-		zval *object = &value;
 
 		char key_tmp[MMC_MAX_KEY_LEN + 1];
 		mmc_request_value_handler value_handler;
@@ -495,7 +494,7 @@ int mmc_unpack_value(
 				long val;
 				data[data_len] = '\0';
 				val = strtol(data, NULL, 10);
-				ZVAL_LONG(&value, val);
+				ZVAL_LONG(object, val);
 				break;
 			}
 
@@ -503,17 +502,17 @@ int mmc_unpack_value(
 				double val = 0;
 				data[data_len] = '\0';
 				sscanf(data, "%lg", &val);
-				ZVAL_DOUBLE(&value, val);
+				ZVAL_DOUBLE(object, val);
 				break;
 			}
 
 			case MMC_TYPE_BOOL:
-				ZVAL_BOOL(&value, data_len == 1 && data[0] == '1');
+				ZVAL_BOOL(object, data_len == 1 && data[0] == '1');
 				break;
 
 			default:
 				data[data_len] = '\0';
-				ZVAL_STRINGL(&value, data, data_len, 0);
+				ZVAL_STRINGL(object, data, data_len, 0);
 
 				if (!(flags & MMC_COMPRESSED)) {
 					/* release buffer because it's now owned by the zval */
@@ -522,7 +521,7 @@ int mmc_unpack_value(
 		}
 
 		/* delegate to value handler */
-		return request->value_handler(key, key_len, &value, flags, cas, request->value_handler_param TSRMLS_CC);
+		return request->value_handler(key, key_len, object, flags, cas, request->value_handler_param TSRMLS_CC);
 	}
 }
 /* }}}*/
-- 
1.7.6.2