Commits on Jan 19, 2020

1. php: Fix memory corruption for uwsgi_cache_* …

   Ah the joys of variadic arguments in C...
   
   So, when using zend_parse_parameters(), PHP internally loops through the
   type specifiers and accordingly uses va_arg() to get the corresponding
   argument.
   
   Since the arguments are expected to be pointers to the corresponding
   values, the size of them *does* matter, because PHP simply writes to the
   corresponding address with a size of size_t.
   
   If we for example pass a pointer to a 32bit integer and PHP writes 64
   bits, we have an overflow of 4 bytes.
   
   From README.PARAMETER_PARSING_API in the PHP source tree:
   
   > Please note that since version 7 PHP uses zend_long as integer type
   > and zend_string with size_t as length, so make sure you pass
   > zend_longs to "l" and size_t to strings length (i.e. for "s" you need
   > to pass char * and size_t), not the other way round!
   >
   > Both mistakes might cause memory corruptions and segfaults:
   > 1)
   >   char *str;
   >   long str_len; /* XXX THIS IS WRONG!! Use size_t instead. */
   >   zend_parse_parameters(ZEND_NUM_ARGS(), "s", &str, &str_len)
   >
   > 2)
   >   int num; /* XXX THIS IS WRONG!! Use zend_long instead. */
   >   zend_parse_parameters(ZEND_NUM_ARGS(), "l", &num)
   
   To fix this, I changed the types accordingly to use size_t and
   zend_long if the PHP major version is >= 7.
   
   Signed-off-by: aszlig <aszlig@nix.build>

   

   aszlig committed Jan 19, 2020
   Configuration menu

   • View commit details
   • Copy full SHA for f8b4c28
   • Browse repository at this point

   Copy the full SHA

   f8b4c28 View commit details

   Browse the repository at this point in the history