summaryrefslogtreecommitdiffstats
path: root/php-pecl-memcache-3.0.5-get-mem-corrupt.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2012-07-07 18:17:45 +0200
committerRemi Collet <fedora@famillecollet.com>2012-07-07 18:17:45 +0200
commit0cf7f7a26ba8e00f97b2a48f087b723a424c9221 (patch)
tree8b02092d8ff6e73552a5efebd82058e51dd59593 /php-pecl-memcache-3.0.5-get-mem-corrupt.patch
parent060ccef5bee3a846078e6f2ba7d7b52145ebc54b (diff)
php-pecl-memcache: sync with rawhide
Diffstat (limited to 'php-pecl-memcache-3.0.5-get-mem-corrupt.patch')
-rw-r--r--php-pecl-memcache-3.0.5-get-mem-corrupt.patch89
1 files changed, 89 insertions, 0 deletions
diff --git a/php-pecl-memcache-3.0.5-get-mem-corrupt.patch b/php-pecl-memcache-3.0.5-get-mem-corrupt.patch
new file mode 100644
index 0000000..0b7c66c
--- /dev/null
+++ b/php-pecl-memcache-3.0.5-get-mem-corrupt.patch
@@ -0,0 +1,89 @@
+From 6e09e8db8d36de6a5020f5d517f62a8c16af8222 Mon Sep 17 00:00:00 2001
+From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
+Date: Mon, 17 Oct 2011 16:17:51 +0200
+Subject: [PATCH] fix get/unserialize memory corruption
+
+Possible memory corruption (and segfault) after unserialising objects:
+<?php
+$obj = new StdClass;
+$obj->obj = $obj;
+$memcache = new Memcache;
+$memcache->connect('127.0.0.1', 11211);
+$memcache->set('x', $obj, false, 300);
+$x = $memcache->get('x');
+$x = $memcache->get('x');
+$x = $memcache->get('x');
+$x = $memcache->get('x');
+$x = $memcache->get('x');
+
+Patch by Paul Clifford.
+
+---
+ memcache-3.0.5/memcache_pool.c | 15 +++++++--------
+ 1 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git memcache-3.0.5/memcache_pool.c memcache-3.0.5/memcache_pool.c
+index 420a773..e89ebce 100644
+--- memcache-3.0.5/memcache_pool.c
++++ memcache-3.0.5/memcache_pool.c
+@@ -422,8 +422,8 @@ int mmc_unpack_value(
+ char *data = NULL;
+ unsigned long data_len;
+
+- zval value;
+- INIT_ZVAL(value);
++ zval *object;
++ ALLOC_INIT_ZVAL(object);
+
+ if (flags & MMC_COMPRESSED) {
+ if (mmc_uncompress(buffer->value.c, bytes, &data, &data_len) != MMC_OK) {
+@@ -439,7 +439,6 @@ int mmc_unpack_value(
+ if (flags & MMC_SERIALIZED) {
+ php_unserialize_data_t var_hash;
+ const unsigned char *p = (unsigned char *)data;
+- zval *object = &value;
+
+ char key_tmp[MMC_MAX_KEY_LEN + 1];
+ mmc_request_value_handler value_handler;
+@@ -495,7 +494,7 @@ int mmc_unpack_value(
+ long val;
+ data[data_len] = '\0';
+ val = strtol(data, NULL, 10);
+- ZVAL_LONG(&value, val);
++ ZVAL_LONG(object, val);
+ break;
+ }
+
+@@ -503,17 +502,17 @@ int mmc_unpack_value(
+ double val = 0;
+ data[data_len] = '\0';
+ sscanf(data, "%lg", &val);
+- ZVAL_DOUBLE(&value, val);
++ ZVAL_DOUBLE(object, val);
+ break;
+ }
+
+ case MMC_TYPE_BOOL:
+- ZVAL_BOOL(&value, data_len == 1 && data[0] == '1');
++ ZVAL_BOOL(object, data_len == 1 && data[0] == '1');
+ break;
+
+ default:
+ data[data_len] = '\0';
+- ZVAL_STRINGL(&value, data, data_len, 0);
++ ZVAL_STRINGL(object, data, data_len, 0);
+
+ if (!(flags & MMC_COMPRESSED)) {
+ /* release buffer because it's now owned by the zval */
+@@ -522,7 +521,7 @@ int mmc_unpack_value(
+ }
+
+ /* delegate to value handler */
+- return request->value_handler(key, key_len, &value, flags, cas, request->value_handler_param TSRMLS_CC);
++ return request->value_handler(key, key_len, object, flags, cas, request->value_handler_param TSRMLS_CC);
+ }
+ }
+ /* }}}*/
+--
+1.7.6.2
+