From 6e09e8db8d36de6a5020f5d517f62a8c16af8222 Mon Sep 17 00:00:00 2001 From: "Vojtech Vitek (V-Teq)" Date: Mon, 17 Oct 2011 16:17:51 +0200 Subject: [PATCH] fix get/unserialize memory corruption Possible memory corruption (and segfault) after unserialising objects: obj = $obj; $memcache = new Memcache; $memcache->connect('127.0.0.1', 11211); $memcache->set('x', $obj, false, 300); $x = $memcache->get('x'); $x = $memcache->get('x'); $x = $memcache->get('x'); $x = $memcache->get('x'); $x = $memcache->get('x'); Patch by Paul Clifford. --- memcache-3.0.5/memcache_pool.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) diff --git memcache-3.0.5/memcache_pool.c memcache-3.0.5/memcache_pool.c index 420a773..e89ebce 100644 --- memcache-3.0.5/memcache_pool.c +++ memcache-3.0.5/memcache_pool.c @@ -422,8 +422,8 @@ int mmc_unpack_value( char *data = NULL; unsigned long data_len; - zval value; - INIT_ZVAL(value); + zval *object; + ALLOC_INIT_ZVAL(object); if (flags & MMC_COMPRESSED) { if (mmc_uncompress(buffer->value.c, bytes, &data, &data_len) != MMC_OK) { @@ -439,7 +439,6 @@ int mmc_unpack_value( if (flags & MMC_SERIALIZED) { php_unserialize_data_t var_hash; const unsigned char *p = (unsigned char *)data; - zval *object = &value; char key_tmp[MMC_MAX_KEY_LEN + 1]; mmc_request_value_handler value_handler; @@ -495,7 +494,7 @@ int mmc_unpack_value( long val; data[data_len] = '\0'; val = strtol(data, NULL, 10); - ZVAL_LONG(&value, val); + ZVAL_LONG(object, val); break; } @@ -503,17 +502,17 @@ int mmc_unpack_value( double val = 0; data[data_len] = '\0'; sscanf(data, "%lg", &val); - ZVAL_DOUBLE(&value, val); + ZVAL_DOUBLE(object, val); break; } case MMC_TYPE_BOOL: - ZVAL_BOOL(&value, data_len == 1 && data[0] == '1'); + ZVAL_BOOL(object, data_len == 1 && data[0] == '1'); break; default: data[data_len] = '\0'; - ZVAL_STRINGL(&value, data, data_len, 0); + ZVAL_STRINGL(object, data, data_len, 0); if (!(flags & MMC_COMPRESSED)) { /* release buffer because it's now owned by the zval */ @@ -522,7 +521,7 @@ int mmc_unpack_value( } /* delegate to value handler */ - return request->value_handler(key, key_len, &value, flags, cas, request->value_handler_param TSRMLS_CC); + return request->value_handler(key, key_len, object, flags, cas, request->value_handler_param TSRMLS_CC); } } /* }}}*/ -- 1.7.6.2