Edit report at https://bugs.php.net/bug.php?id=55750&edit=1

 ID:                 55750
 User updated by:    jeffhuang9999 at gmail dot com
 Reported by:        jeffhuang9999 at gmail dot com
 Summary:            memory copy issue in sysvshm extension
 Status:             Open
 Type:               Bug
 Package:            *General Issues
 Operating System:   Linux
 PHP Version:        5.4SVN-2011-09-21 (snap)
 Block user comment: N
 Private report:     N

 New Comment:

Patch:

--- ext/sysvshm/sysvshm.c
+++ ext/sysvshm/sysvshm.c
@@ -424,7 +424,7 @@
        ptr->free += chunk_ptr->next;
        ptr->end -= chunk_ptr->next;
        if (memcpy_len > 0) {
-               memcpy(chunk_ptr, next_chunk_ptr, memcpy_len);
+               memmove(chunk_ptr, next_chunk_ptr, memcpy_len);
        }
        return 0;
 }


Previous Comments:
------------------------------------------------------------------------
[2011-09-21 06:03:03] jeffhuang9999 at gmail dot com

Description:
------------
In the function php_remove_shm_data() in ext/sysvshm/sysvshm.c, memcpy() is 
used for copying a piece of data from next_chunk_ptr to chunk_ptr.  If there is 
an memory overlap between the source and the destination, using memcpy() could 
result in unexpected result.


Test script:
---------------
NA



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55750&edit=1

Reply via email to