Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:3648
Return-Path: <andi@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43189 invoked from network); 30 Jul 2003 19:03:00 -0000
Received: from unknown (HELO mail.zend.com) (192.117.235.230)
  by pb1.pair.com with SMTP; 30 Jul 2003 19:03:00 -0000
Received: (qmail 27388 invoked from network); 30 Jul 2003 19:02:58 -0000
Received: from localhost (HELO andi-laptop.zend.com) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2003 19:02:58 -0000
Message-ID: <5.1.0.14.2.20030730213551.03635878@127.0.0.1>
X-Sender: andi@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 30 Jul 2003 22:02:06 +0300
To: "Vesselin Atanasov" <vma1@abv.bg>,"PHP-DEV" <internals@lists.php.net>
In-Reply-To: <JJEIJKBBKGFHEDGHDANNOEEPCAAA.vma1@abv.bg>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: Re: [PHP-DEV] Question about zend_hash.c, UPDATE_DATA macro
From: andi@zend.com (Andi Gutmans)
References: <JJEIJKBBKGFHEDGHDANNOEEPCAAA.vma1@abv.bg>

Yes you are right. There indeed seems to be some flaw in the logic. I'll 
commit a fix in a few minutes.
Please test it and let me know if it fixes your problems.

Thanks,

Andi


At 02:50 PM 7/29/2003 +0300, Vesselin Atanasov wrote:
>Hello.
>In PHP5, file zend_hash.c there is a macro
>
>#define UPDATE_DATA(ht, p, pData, nDataSize)
>\
>         if (nDataSize == sizeof(void*))
>{
>\
>                 if (!(p)->pDataPtr)
>{
>\
>                         pefree((p)->pData, (ht)->persistent);
>\
>                 }
>\
>                 memcpy(&(p)->pDataPtr, pData, sizeof(void *));
>\
>                 (p)->pData = &(p)->pDataPtr;
>\
>         } else
>{
>\
>                 if ((p)->pDataPtr)
>{
>\
>                         (p)->pData = (void *) pemalloc(nDataSize,
>(ht)->persistent);    \
>                         (p)->pDataPtr=NULL;
>\
>                 }
>\
>                 memcpy((p)->pData, pData, nDataSize);
>\
>         }
>
>The macro is used to update a hash table element in
>zend_hash_add_or_update(). But it seems to me that if p->pData already
>points to a
>data block that hash size != sizeof (void *), and the macro is called to
>update the hash element with another block that has
>size != sizeof (void *), then the data block pointed at by p->pData will not
>be reallocated and the last memcpy() call will overwrite the old
>data block with the new data. This could possibly lead to memory corruption
>if the new block is bigger than the old block.
>
>Could any of the PHP developers comment on this?
>
>
>--
>PHP Internals - PHP Runtime Development Mailing List
>To unsubscribe, visit: http://www.php.net/unsub.php