]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 61d58f2)
Fix buffer growth in sockets/conversion.c
authorSara Golemon <sgolemon@fb.com>
Wed, 17 Jun 2015 20:26:48 +0000 (13:26 -0700)
committerSara Golemon <sgolemon@fb.com>
Wed, 17 Jun 2015 20:34:20 +0000 (13:34 -0700)
memset() the *end* of the new buffer, not the beginning
Copy the pointer to the buffer, not its initial contents

Fixes bug 69619

ext/sockets/conversions.c patch | blob | history

diff --git a/ext/sockets/conversions.c b/ext/sockets/conversions.c
index d81484521d8c018f1c10c1b140a94b7f922427d6..30e895d97b893b405ae0ebf875fca2345dda95da 100644 (file)
--- a/ext/sockets/conversions.c
+++ b/ext/sockets/conversions.c
@@ -910,8 +910,8 @@ static void from_zval_write_control(const zval                      *arr,
        if (space_left < req_space) {
                *control_buf = safe_erealloc(*control_buf, 2, req_space, *control_len);
                *control_len += 2 * req_space;
-               memset(*control_buf, '\0', *control_len - *offset);
-               memcpy(&alloc->data, *control_buf, sizeof *control_buf);
+               memset(*control_buf + *offset, '\0', *control_len - *offset);
+               memcpy(&alloc->data, control_buf, sizeof *control_buf);
        }
 
        cmsghdr = (struct cmsghdr*)(((char*)*control_buf) + *offset);
Unnamed repository; edit this file 'description' to name the repository.