Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:3628 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 9324 invoked from network); 29 Jul 2003 11:51:13 -0000 Received: from unknown (HELO bgbest.net) (212.91.188.18) by pb1.pair.com with SMTP; 29 Jul 2003 11:51:13 -0000 Received: (qmail 24093 invoked from network); 29 Jul 2003 11:50:35 -0000 Received: from unknown (HELO damagegqsaogpp) (212.91.188.133) by dns.bgbest.net with SMTP; 29 Jul 2003 11:50:35 -0000 To: "PHP-DEV" Date: Tue, 29 Jul 2003 14:50:16 +0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: Question about zend_hash.c, UPDATE_DATA macro From: vma1@abv.bg ("Vesselin Atanasov") Hello. In PHP5, file zend_hash.c there is a macro #define UPDATE_DATA(ht, p, pData, nDataSize) \ if (nDataSize == sizeof(void*)) { \ if (!(p)->pDataPtr) { \ pefree((p)->pData, (ht)->persistent); \ } \ memcpy(&(p)->pDataPtr, pData, sizeof(void *)); \ (p)->pData = &(p)->pDataPtr; \ } else { \ if ((p)->pDataPtr) { \ (p)->pData = (void *) pemalloc(nDataSize, (ht)->persistent); \ (p)->pDataPtr=NULL; \ } \ memcpy((p)->pData, pData, nDataSize); \ } The macro is used to update a hash table element in zend_hash_add_or_update(). But it seems to me that if p->pData already points to a data block that hash size != sizeof (void *), and the macro is called to update the hash element with another block that has size != sizeof (void *), then the data block pointed at by p->pData will not be reallocated and the last memcpy() call will overwrite the old data block with the new data. This could possibly lead to memory corruption if the new block is bigger than the old block. Could any of the PHP developers comment on this?