Edit report at https://bugs.php.net/bug.php?id=55750&edit=1
ID: 55750 Updated by: il...@php.net Reported by: jeffhuang9999 at gmail dot com Summary: memory copy issue in sysvshm extension -Status: Open +Status: Closed Type: Bug Package: *General Issues Operating System: Linux PHP Version: 5.4SVN-2011-09-21 (snap) -Assigned To: +Assigned To: iliaa Block user comment: N Private report: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2011-10-03 18:16:50] il...@php.net Automatic comment from SVN on behalf of iliaa Revision: http://svn.php.net/viewvc/?view=revision&revision=317673 Log: Fixed bug #55750 (memory copy issue in sysvshm extension). ------------------------------------------------------------------------ [2011-09-21 06:04:28] jeffhuang9999 at gmail dot com Patch: --- ext/sysvshm/sysvshm.c +++ ext/sysvshm/sysvshm.c @@ -424,7 +424,7 @@ ptr->free += chunk_ptr->next; ptr->end -= chunk_ptr->next; if (memcpy_len > 0) { - memcpy(chunk_ptr, next_chunk_ptr, memcpy_len); + memmove(chunk_ptr, next_chunk_ptr, memcpy_len); } return 0; } ------------------------------------------------------------------------ [2011-09-21 06:03:03] jeffhuang9999 at gmail dot com Description: ------------ In the function php_remove_shm_data() in ext/sysvshm/sysvshm.c, memcpy() is used for copying a piece of data from next_chunk_ptr to chunk_ptr. If there is an memory overlap between the source and the destination, using memcpy() could result in unexpected result. Test script: --------------- NA ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=55750&edit=1
