1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
From 6e09e8db8d36de6a5020f5d517f62a8c16af8222 Mon Sep 17 00:00:00 2001
From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
Date: Mon, 17 Oct 2011 16:17:51 +0200
Subject: [PATCH] fix get/unserialize memory corruption
Possible memory corruption (and segfault) after unserialising objects:
<?php
$obj = new StdClass;
$obj->obj = $obj;
$memcache = new Memcache;
$memcache->connect('127.0.0.1', 11211);
$memcache->set('x', $obj, false, 300);
$x = $memcache->get('x');
$x = $memcache->get('x');
$x = $memcache->get('x');
$x = $memcache->get('x');
$x = $memcache->get('x');
Patch by Paul Clifford.
---
memcache-3.0.5/memcache_pool.c | 15 +++++++--------
1 files changed, 7 insertions(+), 8 deletions(-)
diff --git memcache-3.0.5/memcache_pool.c memcache-3.0.5/memcache_pool.c
index 420a773..e89ebce 100644
--- memcache-3.0.5/memcache_pool.c
+++ memcache-3.0.5/memcache_pool.c
@@ -422,8 +422,8 @@ int mmc_unpack_value(
char *data = NULL;
unsigned long data_len;
- zval value;
- INIT_ZVAL(value);
+ zval *object;
+ ALLOC_INIT_ZVAL(object);
if (flags & MMC_COMPRESSED) {
if (mmc_uncompress(buffer->value.c, bytes, &data, &data_len) != MMC_OK) {
@@ -439,7 +439,6 @@ int mmc_unpack_value(
if (flags & MMC_SERIALIZED) {
php_unserialize_data_t var_hash;
const unsigned char *p = (unsigned char *)data;
- zval *object = &value;
char key_tmp[MMC_MAX_KEY_LEN + 1];
mmc_request_value_handler value_handler;
@@ -495,7 +494,7 @@ int mmc_unpack_value(
long val;
data[data_len] = '\0';
val = strtol(data, NULL, 10);
- ZVAL_LONG(&value, val);
+ ZVAL_LONG(object, val);
break;
}
@@ -503,17 +502,17 @@ int mmc_unpack_value(
double val = 0;
data[data_len] = '\0';
sscanf(data, "%lg", &val);
- ZVAL_DOUBLE(&value, val);
+ ZVAL_DOUBLE(object, val);
break;
}
case MMC_TYPE_BOOL:
- ZVAL_BOOL(&value, data_len == 1 && data[0] == '1');
+ ZVAL_BOOL(object, data_len == 1 && data[0] == '1');
break;
default:
data[data_len] = '\0';
- ZVAL_STRINGL(&value, data, data_len, 0);
+ ZVAL_STRINGL(object, data, data_len, 0);
if (!(flags & MMC_COMPRESSED)) {
/* release buffer because it's now owned by the zval */
@@ -522,7 +521,7 @@ int mmc_unpack_value(
}
/* delegate to value handler */
- return request->value_handler(key, key_len, &value, flags, cas, request->value_handler_param TSRMLS_CC);
+ return request->value_handler(key, key_len, object, flags, cas, request->value_handler_param TSRMLS_CC);
}
}
/* }}}*/
--
1.7.6.2
|
