Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.9
-
None
-
PHP 5.2.9
Zend Engine v2.2.0
g++ (SUSE Linux) 4.3.2 [gcc-4_3-branch revision 141291]
Description
code position:
file::thrift-0.9.0/lib/php/src/ext/thrift_protocol/php_thrift_protocol.cpp
void binary_serialize(.....)
{
.
.
.
if (Z_TYPE_PP(value) != IS_LONG)
.
.
.
}
php client have a function:
$lmflag = array("3");
public function GetStaet($lmflag)
thrift file define this function:
ReturnResult GetState(1:list<i32> lmflag);
now we use php extension(thrift_protocol.so) to call function "GetState()",as parameter lmflag data type inconsistent,so the extension will seperate it use function "SEPARATE_ZVAL(value)", then the pointer "value" will change it point,now we can find that real data pointer is missing,the real data is lost.