I found what is effectively a memory corruption bug in all the branches. pecalloc() uses
the wrong length to zero out the memory. Patch is attached, although I'm somewhat
concerned about using just (nmemb*len) instead of something like safe_address(nmemb*len),
but safe_address() is inlined in zend_alloc.c not in the header file.
We should apply this to 5.2/5.3 before the release.
-Andrei
Index: Zend/zend_alloc.h
===================================================================
RCS file: /repository/ZendEngine2/zend_alloc.h,v
retrieving revision 1.63.2.2.2.16
diff -u -r1.63.2.2.2.16 zend_alloc.h
--- Zend/zend_alloc.h 31 Dec 2008 11:17:33 -0000 1.63.2.2.2.16
+++ Zend/zend_alloc.h 26 Jun 2009 21:20:53 -0000
@@ -89,7 +89,7 @@
inline static void * __zend_calloc(size_t nmemb, size_t len)
{
void *tmp = _safe_malloc(nmemb, len, 0);
- memset(tmp, 0, len);
+ memset(tmp, 0, nmemb * len);
return tmp;
}
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
