Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
php: Fix memory corruption for uwsgi_cache_*
Ah the joys of variadic arguments in C... So, when using zend_parse_parameters(), PHP internally loops through the type specifiers and accordingly uses va_arg() to get the corresponding argument. Since the arguments are expected to be pointers to the corresponding values, the size of them *does* matter, because PHP simply writes to the corresponding address with a size of size_t. If we for example pass a pointer to a 32bit integer and PHP writes 64 bits, we have an overflow of 4 bytes. From README.PARAMETER_PARSING_API in the PHP source tree: > Please note that since version 7 PHP uses zend_long as integer type > and zend_string with size_t as length, so make sure you pass > zend_longs to "l" and size_t to strings length (i.e. for "s" you need > to pass char * and size_t), not the other way round! > > Both mistakes might cause memory corruptions and segfaults: > 1) > char *str; > long str_len; /* XXX THIS IS WRONG!! Use size_t instead. */ > zend_parse_parameters(ZEND_NUM_ARGS(), "s", &str, &str_len) > > 2) > int num; /* XXX THIS IS WRONG!! Use zend_long instead. */ > zend_parse_parameters(ZEND_NUM_ARGS(), "l", &num) To fix this, I changed the types accordingly to use size_t and zend_long if the PHP major version is >= 7. Signed-off-by: aszlig <aszlig@nix.build>
- Loading branch information