[PHP-BUG] Bug #55750 [NEW]: memory copy issue in sysvshm extension
From: Operating system: Linux PHP version: 5.4SVN-2011-09-21 (snap) Package: *General Issues Bug Type: Bug Bug description:memory copy issue in sysvshm extension Description: In the function php_remove_shm_data() in ext/sysvshm/sysvshm.c, memcpy() is used for copying a piece of data from next_chunk_ptr to chunk_ptr. If there is an memory overlap between the source and the destination, using memcpy() could result in unexpected result. Test script: --- NA -- Edit bug report at https://bugs.php.net/bug.php?id=55750&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=55750&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=55750&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=55750&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=55750&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=55750&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=55750&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=55750&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=55750&r=needscript Try newer version: https://bugs.php.net/fix.php?id=55750&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=55750&r=support Expected behavior: https://bugs.php.net/fix.php?id=55750&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=55750&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=55750&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=55750&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=55750&r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=55750&r=dst IIS Stability: https://bugs.php.net/fix.php?id=55750&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=55750&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=55750&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=55750&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=55750&r=mysqlcfg
Bug #55750 [Opn]: memory copy issue in sysvshm extension
Edit report at https://bugs.php.net/bug.php?id=55750&edit=1
ID: 55750
User updated by:jeffhuang9999 at gmail dot com
Reported by:jeffhuang9999 at gmail dot com
Summary:memory copy issue in sysvshm extension
Status: Open
Type: Bug
Package:*General Issues
Operating System: Linux
PHP Version:5.4SVN-2011-09-21 (snap)
Block user comment: N
Private report: N
New Comment:
Patch:
--- ext/sysvshm/sysvshm.c
+++ ext/sysvshm/sysvshm.c
@@ -424,7 +424,7 @@
ptr->free += chunk_ptr->next;
ptr->end -= chunk_ptr->next;
if (memcpy_len > 0) {
- memcpy(chunk_ptr, next_chunk_ptr, memcpy_len);
+ memmove(chunk_ptr, next_chunk_ptr, memcpy_len);
}
return 0;
}
Previous Comments:
[2011-09-21 06:03:03] jeffhuang9999 at gmail dot com
Description:
In the function php_remove_shm_data() in ext/sysvshm/sysvshm.c, memcpy() is
used for copying a piece of data from next_chunk_ptr to chunk_ptr. If there is
an memory overlap between the source and the destination, using memcpy() could
result in unexpected result.
Test script:
---
NA
--
Edit this bug report at https://bugs.php.net/bug.php?id=55750&edit=1
