Merge lp:~clint-fewbar/ubuntu/maverick/php5/remove-pgsql-segfault-patch into lp:ubuntu/maverick/php5

Proposed by Clint Byrum
Status: Superseded
Proposed branch: lp:~clint-fewbar/ubuntu/maverick/php5/remove-pgsql-segfault-patch
Merge into: lp:ubuntu/maverick/php5
Diff against target: 107 lines (+7/-79)
3 files modified
debian/changelog (+7/-0)
debian/patches/php52389-pgsql-segfault.patch (+0/-78)
debian/patches/series (+0/-1)
To merge this branch: bzr merge lp:~clint-fewbar/ubuntu/maverick/php5/remove-pgsql-segfault-patch
Reviewer Review Type Date Requested Status
Ubuntu Sponsors Team Pending
Ubuntu Development Team Pending
Review via email: mp+38418@code.launchpad.net

This proposal has been superseded by a proposal from 2010-11-25.

Description of the change

Not sure if I got the version numbers right given natty being closed and this going to maverick as an SRU.

The change is pretty straight forward, removing a patch. It clearly fixes a mistake that I made by adding that patch w/o good confirmation that it actually fixes anything.

To post a comment you must log in.
76. By Clint Byrum

fixing changelog number for SRU

Unmerged revisions

76. By Clint Byrum

fixing changelog number for SRU

75. By Clint Byrum

debian/patches/php52389-pgsql-segfault.patch: removing,
causes error handling to fail (LP: #660227)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2010-09-20 14:56:33 +0000
3+++ debian/changelog 2010-10-14 13:51:01 +0000
4@@ -1,3 +1,10 @@
5+php5 (5.3.3-1ubuntu9.1) maverick-proposed; urgency=low
6+
7+ * debian/patches/php52389-pgsql-segfault.patch: removing,
8+ causes error handling to fail (LP: #660227)
9+
10+ -- Clint Byrum <clint@ubuntu.com> Thu, 14 Oct 2010 06:46:02 -0700
11+
12 php5 (5.3.3-1ubuntu9) maverick; urgency=low
13
14 * SECURITY UPDATE: arbitrary memory disclosure and possible code
15
16=== removed file 'debian/patches/php52389-pgsql-segfault.patch'
17--- debian/patches/php52389-pgsql-segfault.patch 2010-08-13 00:07:15 +0000
18+++ debian/patches/php52389-pgsql-segfault.patch 1970-01-01 00:00:00 +0000
19@@ -1,78 +0,0 @@
20-From: miroslav.zacek@skype.net
21-Subject: Memory (de)allocation problem for pgsql notice
22-Description:In the ext/pgsql.c pgsql_globals->notices structure is allocated as
23- persistent but individual messages non persistent. Thus the destructor
24- _php_pgsql_notice_ptr_dtor happens to try to free memory that was
25- already freed by the garbage collector and the thread exits with
26- segmentation fault.
27- .
28- Program received signal SIGSEGV, Segmentation fault.
29- 0x00007ffff3cd3013 in _zend_mm_free_int (heap=0x7ffff844b5c0, p=0x7ffff9397390)
30- at /usr/src/php_no_suhosin/php5-5.3.2/Zend/zend_alloc.c:2018
31- 2018 if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
32- (gdb) backtrace
33- #0 0x00007ffff3cd3013 in _zend_mm_free_int (heap=0x7ffff844b5c0,
34- p=0x7ffff9397390) at /usr/src/php_no_suhosin/php5-5.3.2/Zend/zend_alloc.c:2018
35- #1 0x00007ffff3cd3de1 in _efree (ptr=0x7ffff9397390) at
36- /usr/src/php_no_suhosin/php5-5.3.2/Zend/zend_alloc.c:2351
37- #2 0x00007fffeb4d3419 in _php_pgsql_notice_ptr_dtor (ptr=0x7ffff9396708) at
38- /tmp/pgsql/pgsql.c:841
39- .
40- While the patch has not been accepted yet in PHP upstream, the logic appears
41- sound enough to move forward with the patch.
42- .
43- Note: original patch was not in unified diff format. Reformatted as such.
44-
45-Origin: upstream, http://bugs.php.net/bug.php?id=52389
46-Bug: http://bugs.php.net/bug.php?id=52389
47-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/607646
48-Reviewed-by: Clint Byrum <clint@ubuntu.com>
49-
50-=== modified file 'ext/pgsql/pgsql.c'
51---- a/ext/pgsql/pgsql.c 2010-08-01 11:58:54 +0000
52-+++ b/ext/pgsql/pgsql.c 2010-08-13 07:03:38 +0000
53-@@ -742,7 +742,11 @@
54- if (len) {
55- *len = i;
56- }
57-- return estrndup(message, i);
58-+
59-+ //return estrndup(message, i);
60-+ char *ret_msg = (char *)pemalloc((i+1)*sizeof(char), 1);
61-+ memcpy(ret_msg, message, (i+1)*sizeof(char));
62-+ return ret_msg;
63- }
64- /* }}} */
65-
66-@@ -814,7 +818,7 @@
67-
68- TSRMLS_FETCH();
69- if (! PGG(ignore_notices)) {
70-- notice = (php_pgsql_notice *)emalloc(sizeof(php_pgsql_notice));
71-+ notice = (php_pgsql_notice *)pemalloc(sizeof(php_pgsql_notice), 1);
72- notice->message = _php_pgsql_trim_message(message, &notice->len);
73- if (PGG(log_notices)) {
74- php_error_docref(NULL TSRMLS_CC, E_NOTICE, "%s", notice->message);
75-@@ -824,16 +828,17 @@
76- }
77- /* }}} */
78-
79--#define PHP_PGSQL_NOTICE_PTR_DTOR (void (*)(void *))_php_pgsql_notice_ptr_dtor
80-+#define PHP_PGSQL_NOTICE_PTR_DTOR (void (*)(void **))_php_pgsql_notice_ptr_dtor
81-
82- /* {{{ _php_pgsql_notice_dtor
83- */
84- static void _php_pgsql_notice_ptr_dtor(void **ptr)
85- {
86- php_pgsql_notice *notice = (php_pgsql_notice *)*ptr;
87-- if (notice) {
88-- efree(notice->message);
89-- efree(notice);
90-+ int ref_count = (*(zval*)*ptr).refcount__gc;
91-+ if (notice && ref_count) {
92-+ pefree(notice->message, 1);
93-+ pefree(notice, 1);
94- notice = NULL;
95- }
96- }
97-
98
99=== modified file 'debian/patches/series'
100--- debian/patches/series 2010-09-20 14:56:33 +0000
101+++ debian/patches/series 2010-10-14 13:51:01 +0000
102@@ -56,5 +56,4 @@
103 php-fpm-man-section-and-cleanup.patch
104 fpm-config.patch
105 lp564920-fix-big-files.patch
106-php52389-pgsql-segfault.patch
107 CVE-2010-2950.patch

Subscribers

People subscribed via source and target branches

to all changes: