Edit report at https://bugs.php.net/bug.php?id=55750&edit=1
ID: 55750 User updated by: jeffhuang9999 at gmail dot com Reported by: jeffhuang9999 at gmail dot com Summary: memory copy issue in sysvshm extension Status: Open Type: Bug Package: *General Issues Operating System: Linux PHP Version: 5.4SVN-2011-09-21 (snap) Block user comment: N Private report: N New Comment: Patch: --- ext/sysvshm/sysvshm.c +++ ext/sysvshm/sysvshm.c @@ -424,7 +424,7 @@ ptr->free += chunk_ptr->next; ptr->end -= chunk_ptr->next; if (memcpy_len > 0) { - memcpy(chunk_ptr, next_chunk_ptr, memcpy_len); + memmove(chunk_ptr, next_chunk_ptr, memcpy_len); } return 0; } Previous Comments: ------------------------------------------------------------------------ [2011-09-21 06:03:03] jeffhuang9999 at gmail dot com Description: ------------ In the function php_remove_shm_data() in ext/sysvshm/sysvshm.c, memcpy() is used for copying a piece of data from next_chunk_ptr to chunk_ptr. If there is an memory overlap between the source and the destination, using memcpy() could result in unexpected result. Test script: --------------- NA ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=55750&edit=1