[PHP-DEV] [PATCH] major bug in mmap of lexer

Mon, 28 Apr 2008 20:02:26 -0700 

Hi,

Today while testing phar with phpMyAdmin, I was getting a really weird
error - one of the files was turning into a series of Z's, munging the
entire display.  Thinking it was a phar issue, I instead tracked it down
to a major problem in an edge case of zend_stream_fixup().  For files
that are about 4085 bytes long, the buffer containing them was being
erealloc()ed without re-assigning the new value to the zend_file_handle,
resulting in efreed() value filled with Z's if --enable-debug was in the
configure line (whew).  A simple order change of assignment solves this one.

The attached patches against 5_3 and HEAD fixes this and saves the day
for pharred phpMyAdmin.

Greg

Index: Zend/zend_stream.c
===================================================================
RCS file: /repository/ZendEngine2/zend_stream.c,v
retrieving revision 1.13.2.1.2.1.2.4
diff -u -r1.13.2.1.2.1.2.4 zend_stream.c
--- Zend/zend_stream.c  4 Apr 2008 15:34:39 -0000       1.13.2.1.2.1.2.4
+++ Zend/zend_stream.c  29 Apr 2008 02:53:09 -0000
@@ -231,11 +231,11 @@
                        }
                }
                file_handle->handle.stream.mmap.map = 0;
-               file_handle->handle.stream.mmap.buf = *buf;
                file_handle->handle.stream.mmap.len = size;
                if (size && remain < ZEND_MMAP_AHEAD) {
                        *buf = safe_erealloc(*buf, size, 1, ZEND_MMAP_AHEAD);
                }
+               file_handle->handle.stream.mmap.buf = *buf;
        }
 
        if (file_handle->handle.stream.mmap.len == 0) {

Index: Zend/zend_stream.c
===================================================================
RCS file: /repository/ZendEngine2/zend_stream.c,v
retrieving revision 1.20
diff -u -r1.20 zend_stream.c
--- Zend/zend_stream.c  4 Apr 2008 15:35:37 -0000       1.20
+++ Zend/zend_stream.c  29 Apr 2008 02:59:13 -0000
@@ -236,11 +236,11 @@
                        }
                }
                file_handle->handle.stream.mmap.map = 0;
-               file_handle->handle.stream.mmap.buf = *buf;
                file_handle->handle.stream.mmap.len = size;
                if (size && remain < ZEND_MMAP_AHEAD) {
                        *buf = safe_erealloc(*buf, size, 1, ZEND_MMAP_AHEAD);
                }
+               file_handle->handle.stream.mmap.buf = *buf;
        }
 
        if (file_handle->handle.stream.mmap.len == 0) {


-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to