Memory corruption in mmc_flush_handler

websupport-sk / pecl-memcache

PHP Extension - Memcache module with support of newer PHP 7.x and PHP 8.x

https://pecl.php.net/package/memcache

Other

328 stars 101 forks source link

Memory corruption in mmc_flush_handler #97

Closed vnsavage closed 2 years ago

vnsavage commented 2 years ago

In mmc_flush_handler the return param is a pointer to integer and ZVAL_FALSE should not be used as it results in memory corruption. The failure case is not supposed to modify the return param.

The problem can be reproduced by disabling flush_all in the Memcached server.

thesource93 commented 2 years ago

yes, nice catch. much appreciated.

if (response == MMC_OK) { (*((int *)param))++; the default case is false. the casting in success case is a little awkward, i'm not currently sure, why is it this way other than we take (void )param, instead of zval param

the suggested change seems to work. fixes the bug.

vnsavage commented 2 years ago

Thanks! For the success case - yeah, I think an int is passed to the handler so that's why the (void ) is casted to (int *) and incremented afterwards.