munmap() is called with the incorrect length
| Bug #62716 | munmap() is called with the incorrect length | ||||
|---|---|---|---|---|---|
| Submitted: | 2012-08-01 11:55 UTC | Modified: | 2012-08-02 04:28 UTC | ||
| From: | slangley at google dot com | Assigned: | laruence (profile) | ||
| Status: | Closed | Package: | Scripting Engine problem | ||
| PHP Version: | 5.3.15 | OS: | All | ||
| Private report: | No | CVE-ID: | None | ||
[2012-08-01 11:55 UTC] slangley at google dot com
Description:
------------
In zend_stream.cc the size passed to mmap is the size of the file +
ZEND_MMAP_AHEAD.
*buf = mmap(0, size + ZEND_MMAP_AHEAD, PROT_READ, MAP_PRIVATE,
fileno(file_handle->handle.fp), 0);
However, when munmap() is called the incorrect size is passed.
static void zend_stream_unmap(zend_stream *stream TSRMLS_DC) { /* {{{ */
#if HAVE_MMAP
if (stream->mmap.map) {
munmap(stream->mmap.map, stream->mmap.len);
} else
#endif
The call to munmap should be
munmap(stream->mmap.map, stream->mmap.len + ZEND_MMAP_AHEAD);
Test script:
---------------
N/A
Expected result:
----------------
N/A
Actual result:
--------------
N/A
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2012-08-02 04:28 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence