Edit report at https://bugs.php.net/bug.php?id=55750&edit=1
ID: 55750
User updated by: jeffhuang9999 at gmail dot com
Reported by: jeffhuang9999 at gmail dot com
Summary: memory copy issue in sysvshm extension
Status: Open
Type: Bug
Package: *General Issues
Operating System: Linux
PHP Version: 5.4SVN-2011-09-21 (snap)
Block user comment: N
Private report: N
New Comment:
Patch:
--- ext/sysvshm/sysvshm.c
+++ ext/sysvshm/sysvshm.c
@@ -424,7 +424,7 @@
ptr->free += chunk_ptr->next;
ptr->end -= chunk_ptr->next;
if (memcpy_len > 0) {
- memcpy(chunk_ptr, next_chunk_ptr, memcpy_len);
+ memmove(chunk_ptr, next_chunk_ptr, memcpy_len);
}
return 0;
}
Previous Comments:
------------------------------------------------------------------------
[2011-09-21 06:03:03] jeffhuang9999 at gmail dot com
Description:
------------
In the function php_remove_shm_data() in ext/sysvshm/sysvshm.c, memcpy() is
used for copying a piece of data from next_chunk_ptr to chunk_ptr. If there is
an memory overlap between the source and the destination, using memcpy() could
result in unexpected result.
Test script:
---------------
NA
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=55750&edit=1
