Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-2321

thrift php extension,when giving data not a correct type,it will seperate it,but when running function "SEPARATE_ZVAL()",the real data pointer is changed,real data will loss.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 0.9
    • None
    • PHP - Compiler, PHP - Library

    • PHP 5.2.9
      Zend Engine v2.2.0
      g++ (SUSE Linux) 4.3.2 [gcc-4_3-branch revision 141291]

    Description

      code position:
      file::thrift-0.9.0/lib/php/src/ext/thrift_protocol/php_thrift_protocol.cpp

      void binary_serialize(.....)
      {
      .
      .
      .
      if (Z_TYPE_PP(value) != IS_LONG)

      { SEPARATE_ZVAL(value); convert_to_long(*value); }

      .
      .
      .
      }

      php client have a function:
      $lmflag = array("3");
      public function GetStaet($lmflag)

      thrift file define this function:

      ReturnResult GetState(1:list<i32> lmflag);

      now we use php extension(thrift_protocol.so) to call function "GetState()",as parameter lmflag data type inconsistent,so the extension will seperate it use function "SEPARATE_ZVAL(value)", then the pointer "value" will change it point,now we can find that real data pointer is missing,the real data is lost.

      Attachments

        Activity

          People

            Unassigned Unassigned
            grayson grayson
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:

              Time Tracking

                Estimated:
                Original Estimate - 504h
                504h
                Remaining:
                Remaining Estimate - 504h
                504h
                Logged:
                Time Spent - Not Specified
                Not Specified