Fix buffer growth in sockets/conversion.c

memset() the *end* of the new buffer, not the beginning Copy the pointer to the buffer, not its initial contents Fixes bug 69619
author: Sara Golemon <sgolemon@fb.com> 2015-06-17 13:26:48 -0700
committer: Sara Golemon <sgolemon@fb.com> 2015-06-17 13:34:20 -0700
commit: d241711f44e85c9c59e73c17244c867820ba89e8 (patch)
tree: da378f85ffadc32e997a6bd37cfe5a080a4c73c5
parent: 61d58f2d9e9175786406dd11178190644a1e0183 (diff)
download: php-git-d241711f44e85c9c59e73c17244c867820ba89e8.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/sockets/conversions.c b/ext/sockets/conversions.c
index d81484521d..30e895d97b 100644
--- a/ext/sockets/conversions.c
+++ b/ext/sockets/conversions.c
@@ -910,8 +910,8 @@ static void from_zval_write_control(const zval			*arr,
 	if (space_left < req_space) {
 		*control_buf = safe_erealloc(*control_buf, 2, req_space, *control_len);
 		*control_len += 2 * req_space;
-		memset(*control_buf, '\0', *control_len - *offset);
-		memcpy(&alloc->data, *control_buf, sizeof *control_buf);
+		memset(*control_buf + *offset, '\0', *control_len - *offset);
+		memcpy(&alloc->data, control_buf, sizeof *control_buf);
 	}
 
 	cmsghdr = (struct cmsghdr*)(((char*)*control_buf) + *offset);
author	Sara Golemon <sgolemon@fb.com>	2015-06-17 13:26:48 -0700
committer	Sara Golemon <sgolemon@fb.com>	2015-06-17 13:34:20 -0700
commit	d241711f44e85c9c59e73c17244c867820ba89e8 (patch)
tree	da378f85ffadc32e997a6bd37cfe5a080a4c73c5
parent	61d58f2d9e9175786406dd11178190644a1e0183 (diff)
download	php-git-d241711f44e85c9c59e73c17244c867820ba89e8.tar.gz