php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #42663 gzinflate() try to allocate all memory with truncated $data
Submitted: 2007-09-13 18:28 UTC Modified: 2008-07-24 14:41 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: arnaud dot lb at gmail dot com Assigned:
Status: Closed Package: Zlib related
PHP Version: 5.2.4 OS: Linux 2.6
Private report: No CVE-ID: None
View Developer Edit
 [2007-09-13 18:28 UTC] arnaud dot lb at gmail dot com 
Description:
------------
gzinflate() try to allocate all memory with truncated $data:

Fatal error: Out of memory (allocated 1074003968) (tried to allocate 
2147450880 bytes) in Command line code on line 1

Zlib version: 1.2.3.3

Reproduce code:
---------------
/tmp/php-5.2.4$ ./configure --disable-all --enable-cli --with-zlib && make -j4
/tmp/php-5.2.4$ sapi/cli/php -d memory_limit=-1 -r '$data = gzdeflate(file_get_contents("/tmp/yuicompressor-1.0.zip"), 9); echo "Compressed length: " . strlen($data) . "\n"; gzinflate($data); $data = substr($data, 0, 65535); echo "Truncated length: " . strlen($data) . "\n"; gzinflate($data);'

Expected result:
----------------
gzinflate() should return FALSE, without eating all memory

Actual result:
--------------
Fatal error: Out of memory (allocated 1074003968) (tried to allocate 
2147450880 bytes) in Command line code on line 1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-09-13 18:33 UTC] arnaud dot lb at gmail dot com 
Example code in a more readable format:

<?php
ini_set('memory_limit', -1);

// compressing a ~1.6MB file with gzdeflate()
$data = 
gzdeflate(file_get_contents("/home/noch/yuicompressor-1.0.zip"), 9);

echo "Compressed length: " . strlen($data) . "\n";

// gzinflate() works with original $data
gzinflate($data);

// Truncating compressed $data
$data = substr($data, 0, 65535);

echo "Truncated length: " . strlen($data) . "\n";

// Bug is here:
gzinflate($data);

?>
 [2007-09-16 14:52 UTC] iliaa@php.net 
Can you please provide a URL to the file with corrupted data.
 [2007-09-16 17:43 UTC] arnaud dot lb at gmail dot com 
It works with any compressed data if you truncate it.

The yuicompressor-1.0.zip file used for this example can be found 
here: 
http://www.julienlecomte.net/yuicompressor/yuicompressor-1.0.zip
 [2007-09-29 02:15 UTC] arnaud dot lb at gmail dot com 
I wrote a testcase for this bug:
http://s3.amazonaws.com/arnaud.lb/gzinflate-bug42663.phpt.txt
 [2008-07-11 09:36 UTC] arnaud dot lb at gmail dot com 
I made a patch for this bug: http://marc.info/?l=php-internals&m=121561206424622&w=1
 [2008-07-24 14:41 UTC] lbarnaud@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 08:01:29 2024 UTC