From: Sara Golemon <sgolemon@fb.com>
Date: Wed, 17 Jun 2015 20:26:48 +0000 (-0700)
Subject: Fix buffer growth in sockets/conversion.c
X-Git-Tag: php-5.5.27RC1~9^2~7
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d241711f44e85c9c59e73c17244c867820ba89e8;p=php

Fix buffer growth in sockets/conversion.c

memset() the *end* of the new buffer, not the beginning
Copy the pointer to the buffer, not its initial contents

Fixes bug 69619
---

diff --git a/ext/sockets/conversions.c b/ext/sockets/conversions.c
index d81484521d..30e895d97b 100644
--- a/ext/sockets/conversions.c
+++ b/ext/sockets/conversions.c
@@ -910,8 +910,8 @@ static void from_zval_write_control(const zval			*arr,
 	if (space_left < req_space) {
 		*control_buf = safe_erealloc(*control_buf, 2, req_space, *control_len);
 		*control_len += 2 * req_space;
-		memset(*control_buf, '\0', *control_len - *offset);
-		memcpy(&alloc->data, *control_buf, sizeof *control_buf);
+		memset(*control_buf + *offset, '\0', *control_len - *offset);
+		memcpy(&alloc->data, control_buf, sizeof *control_buf);
 	}
 
 	cmsghdr = (struct cmsghdr*)(((char*)*control_buf) + *offset);