Skip to content

Commit d241711

Browse files
sgolemonsgolemon
committed
Fix buffer growth in sockets/conversion.c
memset() the *end* of the new buffer, not the beginning Copy the pointer to the buffer, not its initial contents Fixes bug 69619
1 parent 61d58f2 commit d241711

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

ext/sockets/conversions.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -910,8 +910,8 @@ static void from_zval_write_control(const zval *arr,
910910
if (space_left < req_space) {
911911
*control_buf = safe_erealloc(*control_buf, 2, req_space, *control_len);
912912
*control_len += 2 * req_space;
913-
memset(*control_buf, '\0', *control_len - *offset);
914-
memcpy(&alloc->data, *control_buf, sizeof *control_buf);
913+
memset(*control_buf + *offset, '\0', *control_len - *offset);
914+
memcpy(&alloc->data, control_buf, sizeof *control_buf);
915915
}
916916

917917
cmsghdr = (struct cmsghdr*)(((char*)*control_buf) + *offset);

0 commit comments

Comments
 (0)