diff options
author | Sara Golemon <sgolemon@fb.com> | 2015-06-17 13:26:48 -0700 |
---|---|---|
committer | Sara Golemon <sgolemon@fb.com> | 2015-06-17 13:34:20 -0700 |
commit | d241711f44e85c9c59e73c17244c867820ba89e8 (patch) | |
tree | da378f85ffadc32e997a6bd37cfe5a080a4c73c5 | |
parent | 61d58f2d9e9175786406dd11178190644a1e0183 (diff) | |
download | php-git-d241711f44e85c9c59e73c17244c867820ba89e8.tar.gz |
Fix buffer growth in sockets/conversion.c
memset() the *end* of the new buffer, not the beginning
Copy the pointer to the buffer, not its initial contents
Fixes bug 69619
-rw-r--r-- | ext/sockets/conversions.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/sockets/conversions.c b/ext/sockets/conversions.c index d81484521d..30e895d97b 100644 --- a/ext/sockets/conversions.c +++ b/ext/sockets/conversions.c @@ -910,8 +910,8 @@ static void from_zval_write_control(const zval *arr, if (space_left < req_space) { *control_buf = safe_erealloc(*control_buf, 2, req_space, *control_len); *control_len += 2 * req_space; - memset(*control_buf, '\0', *control_len - *offset); - memcpy(&alloc->data, *control_buf, sizeof *control_buf); + memset(*control_buf + *offset, '\0', *control_len - *offset); + memcpy(&alloc->data, control_buf, sizeof *control_buf); } cmsghdr = (struct cmsghdr*)(((char*)*control_buf) + *offset); |