Merge lp:~clint-fewbar/ubuntu/maverick/php5/remove-pgsql-segfault-patch into lp:ubuntu/maverick/php5

Proposed by Clint Byrum
Status: Superseded
Proposed branch: lp:~clint-fewbar/ubuntu/maverick/php5/remove-pgsql-segfault-patch
Merge into: lp:ubuntu/maverick/php5
Diff against target: 107 lines (+7/-79)
3 files modified
debian/changelog (+7/-0)
debian/patches/php52389-pgsql-segfault.patch (+0/-78)
debian/patches/series (+0/-1)
To merge this branch: bzr merge lp:~clint-fewbar/ubuntu/maverick/php5/remove-pgsql-segfault-patch
Reviewer Review Type Date Requested Status
Ubuntu Sponsors Team Pending
Ubuntu Development Team Pending
Review via email: mp+38418@code.launchpad.net

This proposal has been superseded by a proposal from 2010-11-25.

Description of the change

Not sure if I got the version numbers right given natty being closed and this going to maverick as an SRU.

The change is pretty straight forward, removing a patch. It clearly fixes a mistake that I made by adding that patch w/o good confirmation that it actually fixes anything.

To post a comment you must log in.
76. By Clint Byrum

fixing changelog number for SRU

Unmerged revisions

76. By Clint Byrum

fixing changelog number for SRU

75. By Clint Byrum

debian/patches/php52389-pgsql-segfault.patch: removing,
causes error handling to fail (LP: #660227)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2010-09-20 14:56:33 +0000
+++ debian/changelog 2010-10-14 13:51:01 +0000
@@ -1,3 +1,10 @@
1php5 (5.3.3-1ubuntu9.1) maverick-proposed; urgency=low
2
3 * debian/patches/php52389-pgsql-segfault.patch: removing,
4 causes error handling to fail (LP: #660227)
5
6 -- Clint Byrum <clint@ubuntu.com> Thu, 14 Oct 2010 06:46:02 -0700
7
1php5 (5.3.3-1ubuntu9) maverick; urgency=low8php5 (5.3.3-1ubuntu9) maverick; urgency=low
29
3 * SECURITY UPDATE: arbitrary memory disclosure and possible code10 * SECURITY UPDATE: arbitrary memory disclosure and possible code
411
=== removed file 'debian/patches/php52389-pgsql-segfault.patch'
--- debian/patches/php52389-pgsql-segfault.patch 2010-08-13 00:07:15 +0000
+++ debian/patches/php52389-pgsql-segfault.patch 1970-01-01 00:00:00 +0000
@@ -1,78 +0,0 @@
1From: miroslav.zacek@skype.net
2Subject: Memory (de)allocation problem for pgsql notice
3Description:In the ext/pgsql.c pgsql_globals->notices structure is allocated as
4 persistent but individual messages non persistent. Thus the destructor
5 _php_pgsql_notice_ptr_dtor happens to try to free memory that was
6 already freed by the garbage collector and the thread exits with
7 segmentation fault.
8 .
9 Program received signal SIGSEGV, Segmentation fault.
10 0x00007ffff3cd3013 in _zend_mm_free_int (heap=0x7ffff844b5c0, p=0x7ffff9397390)
11 at /usr/src/php_no_suhosin/php5-5.3.2/Zend/zend_alloc.c:2018
12 2018 if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
13 (gdb) backtrace
14 #0 0x00007ffff3cd3013 in _zend_mm_free_int (heap=0x7ffff844b5c0,
15 p=0x7ffff9397390) at /usr/src/php_no_suhosin/php5-5.3.2/Zend/zend_alloc.c:2018
16 #1 0x00007ffff3cd3de1 in _efree (ptr=0x7ffff9397390) at
17 /usr/src/php_no_suhosin/php5-5.3.2/Zend/zend_alloc.c:2351
18 #2 0x00007fffeb4d3419 in _php_pgsql_notice_ptr_dtor (ptr=0x7ffff9396708) at
19 /tmp/pgsql/pgsql.c:841
20 .
21 While the patch has not been accepted yet in PHP upstream, the logic appears
22 sound enough to move forward with the patch.
23 .
24 Note: original patch was not in unified diff format. Reformatted as such.
25
26Origin: upstream, http://bugs.php.net/bug.php?id=52389
27Bug: http://bugs.php.net/bug.php?id=52389
28Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/607646
29Reviewed-by: Clint Byrum <clint@ubuntu.com>
30
31=== modified file 'ext/pgsql/pgsql.c'
32--- a/ext/pgsql/pgsql.c 2010-08-01 11:58:54 +0000
33+++ b/ext/pgsql/pgsql.c 2010-08-13 07:03:38 +0000
34@@ -742,7 +742,11 @@
35 if (len) {
36 *len = i;
37 }
38- return estrndup(message, i);
39+
40+ //return estrndup(message, i);
41+ char *ret_msg = (char *)pemalloc((i+1)*sizeof(char), 1);
42+ memcpy(ret_msg, message, (i+1)*sizeof(char));
43+ return ret_msg;
44 }
45 /* }}} */
46
47@@ -814,7 +818,7 @@
48
49 TSRMLS_FETCH();
50 if (! PGG(ignore_notices)) {
51- notice = (php_pgsql_notice *)emalloc(sizeof(php_pgsql_notice));
52+ notice = (php_pgsql_notice *)pemalloc(sizeof(php_pgsql_notice), 1);
53 notice->message = _php_pgsql_trim_message(message, &notice->len);
54 if (PGG(log_notices)) {
55 php_error_docref(NULL TSRMLS_CC, E_NOTICE, "%s", notice->message);
56@@ -824,16 +828,17 @@
57 }
58 /* }}} */
59
60-#define PHP_PGSQL_NOTICE_PTR_DTOR (void (*)(void *))_php_pgsql_notice_ptr_dtor
61+#define PHP_PGSQL_NOTICE_PTR_DTOR (void (*)(void **))_php_pgsql_notice_ptr_dtor
62
63 /* {{{ _php_pgsql_notice_dtor
64 */
65 static void _php_pgsql_notice_ptr_dtor(void **ptr)
66 {
67 php_pgsql_notice *notice = (php_pgsql_notice *)*ptr;
68- if (notice) {
69- efree(notice->message);
70- efree(notice);
71+ int ref_count = (*(zval*)*ptr).refcount__gc;
72+ if (notice && ref_count) {
73+ pefree(notice->message, 1);
74+ pefree(notice, 1);
75 notice = NULL;
76 }
77 }
78
790
=== modified file 'debian/patches/series'
--- debian/patches/series 2010-09-20 14:56:33 +0000
+++ debian/patches/series 2010-10-14 13:51:01 +0000
@@ -56,5 +56,4 @@
56php-fpm-man-section-and-cleanup.patch56php-fpm-man-section-and-cleanup.patch
57fpm-config.patch57fpm-config.patch
58lp564920-fix-big-files.patch58lp564920-fix-big-files.patch
59php52389-pgsql-segfault.patch
60CVE-2010-2950.patch59CVE-2010-2950.patch

Subscribers

People subscribed via source and target branches

to all changes: