8000 More allocation fixes · jrtkcoder/phpredis@c51b0a1 · GitHub
[go: up one dir, main page]
Skip to content

Commit c51b0a1

Browse files
michael-grundermichael-grunder
committed
More allocation fixes
There were a few more places mixing emalloc(sizeof(zval*)*N) with emalloc(sizeof(zval)*N causing us to overwrite data in the stack. These didn't appear until the code was built in release mode. Now to build in debug mode to get rid of any leaks. Addresses phpredis#727
1 parent 7b36957 commit c51b0a1

File tree

1 file changed

+10
-10
lines changed

1 file changed

+10
-10
lines changed

redis_cluster.c

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -641,7 +641,7 @@ static int cluster_mkey_cmd(INTERNAL_FUNCTION_PARAMETERS, char *kw, int kw_len,
641641
if (!argc) return -1;
642642

643643
/* Extract our arguments into an array */
644-
z_args = emalloc(sizeof(zval*)*argc);
644+
z_args = emalloc(sizeof(*z_args) * argc);
645645
if (zend_get_parameters_array(ht, ZEND_NUM_ARGS(), z_args) == FAILURE) {
646646
efree(z_args);
647647
return -1;
@@ -857,7 +857,7 @@ PHP_METHOD(RedisCluster, del) {
857857
// Initialize a LONG value to zero for our return
858858
z_ret = emalloc(sizeof(*z_ret));
859859
ZVAL_LONG(z_ret, 0);
860-
860+
861861
// Parse args, process
862862
if(cluster_mkey_cmd(INTERNAL_FUNCTION_PARAM_PASSTHRU, "DEL",
863863
sizeof("DEL")-1, z_ret, cluster_del_resp)<0)
@@ -906,16 +906,18 @@ PHP_METHOD(RedisCluster, mset) {
906906

907907
/* {{{ proto array RedisCluster::msetnx(array keyvalues) */
908908
PHP_METHOD(RedisCluster, msetnx) {
909-
zval z_ret;
909+
zval *z_ret;
910910

911911
// Array response
912-
array_init(&z_ret);
912+
z_ret = emalloc(sizeof(*z_ret));
913+
array_init(z_ret);
913914

914915
// Parse args and process. If we get a failure, free mem and return FALSE
915916
if(cluster_mset_cmd(INTERNAL_FUNCTION_PARAM_PASSTHRU, "MSETNX",
916-
sizeof("MSETNX")-1, &z_ret, cluster_msetnx_resp)==-1)
917+
sizeof("MSETNX")-1, z_ret, cluster_msetnx_resp)==-1)
917918
{
918-
zval_dtor(&z_ret);
919+
zval_dtor(z_ret);
920+
efree(z_ret);
919921
RETURN_FALSE;
920922
}
921923
}
@@ -2067,7 +2069,7 @@ PHP_METHOD(RedisCluster, watch) {
20672069
ht_dist = cluster_dist_create();
20682070

20692071
// Allocate args, and grab them
2070-
z_args = emalloc(sizeof(zval*)*argc);
2072+
z_args = emalloc(sizeof(*z_args) * argc);
20712073
if(zend_get_parameters_array(ht, argc, z_args)==FAILURE) {
20722074
efree(z_args);
20732075
cluster_dist_free(ht_dist);
@@ -2339,10 +2341,8 @@ static void cluster_raw_cmd(INTERNAL_FUNCTION_PARAMETERS, char *kw, int kw_len)
23392341
RETURN_FALSE;
23402342
}
23412343

2342-
/* Allocate an array to process arguments */
2343-
z_args = emalloc(argc * sizeof(zval*));
2344-
23452344
/* Grab args */
2345+
z_args = emalloc(sizeof(*z_args) * argc);
23462346
if(zend_get_parameters_array(ht, argc, z_args)==FAILURE) {
23472347
efree(z_args);
23482348
RETURN_FALSE;

0 commit comments

Comments
 (0)
0