archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix buffer growth in sockets/conversion.c

Browse source 
memset() the *end* of the new buffer, not the beginning
Copy the pointer to the buffer, not its initial contents

Fixes bug 69619
This commit is contained in:
Sara Golemon 2015-06-17 13:26:48 -07:00
parent 61d58f2d9e
commit d241711f44
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
ext/sockets/conversions.c
View file

@ -910,8 +910,8 @@ static void from_zval_write_control(const zval *arr,
if (space_left < req_space) {
*control_buf = safe_erealloc(*control_buf, 2, req_space, *control_len);
*control_len += 2 * req_space;
memset(*control_buf, '\0', *control_len - *offset);
memcpy(&alloc->data, *control_buf, sizeof *control_buf);
memset(*control_buf + *offset, '\0', *control_len - *offset);
memcpy(&alloc->data, control_buf, sizeof *control_buf);
}
cmsghdr = (struct cmsghdr*)(((char*)*control_buf) + *offset);