From d241711f44e85c9c59e73c17244c867820ba89e8 Mon Sep 17 00:00:00 2001
From: Sara Golemon <sgolemon@fb.com>
Date: Wed, 17 Jun 2015 13:26:48 -0700
Subject: [PATCH] Fix buffer growth in sockets/conversion.c

memset() the *end* of the new buffer, not the beginning
Copy the pointer to the buffer, not its initial contents

Fixes bug 69619
---
 ext/sockets/conversions.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/sockets/conversions.c b/ext/sockets/conversions.c
index d81484521d..30e895d97b 100644
--- a/ext/sockets/conversions.c
+++ b/ext/sockets/conversions.c
@@ -910,8 +910,8 @@ static void from_zval_write_control(const zval			*arr,
 	if (space_left < req_space) {
 		*control_buf = safe_erealloc(*control_buf, 2, req_space, *control_len);
 		*control_len += 2 * req_space;
-		memset(*control_buf, '\0', *control_len - *offset);
-		memcpy(&alloc->data, *control_buf, sizeof *control_buf);
+		memset(*control_buf + *offset, '\0', *control_len - *offset);
+		memcpy(&alloc->data, control_buf, sizeof *control_buf);
 	}
 
 	cmsghdr = (struct cmsghdr*)(((char*)*control_buf) + *offset);
-- 
2.49.0