php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81070 Integer underflow in memory limit comparison
Submitted: 2021-05-22 10:46 UTC Modified: 2021-05-22 10:53 UTC
From: pvandommelen at gmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.3.28 OS:
Private report: No CVE-ID: None
 [2021-05-22 10:46 UTC] pvandommelen at gmail dot com
Description:
------------
When more memory is allocated, the currently allocated memory is compared to the limit. There is currently an integer underflow problem when the limit is lower than the currently allocated memory. This can occur when the memory limit is changed dynamically through `set_ini("memory_limit", ..)`.

This was introduced in 7.2.23 and also exists in 7.3.10 and all versions of 7.4 and 8.0.
https://github.com/php/php-src/commit/16d35eb643bf974554e5264021ee10fc969e2053

The code sample illustrates the problem. Allocation after the memory limit is reduced should throw an error. 

The old behaviour can probably be reintroduced by also verifying that the memory limit is higher than the currently allocated memory.

Test script:
---------------
https://3v4l.org/egq60

```
<?php
echo sprintf("\n%.1fMB", memory_get_usage(true) / 1024 / 1024);

// allocate a large byte string of around 5 MB
$a = str_repeat("0", 5 * 1024 * 1024);
echo sprintf("\n%.1fMB", memory_get_usage(true) / 1024 / 1024);

// setting the memory limit lower than the current is accepted
ini_set("memory_limit", "3M");
echo sprintf("\n%.1fMB", memory_get_usage(true) / 1024 / 1024);

// further allocation beyond the limit
$b = str_repeat("0", 5 * 1024 * 1024);
echo sprintf("\n%.1fMB", memory_get_usage(true) / 1024 / 1024);
```


Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-22 10:53 UTC] pvandommelen at gmail dot com
-Summary: Regression in 7.4.6 when yielding an array based generator +Summary: Integer underflow in memory limit comparison
 [2021-05-22 10:53 UTC] pvandommelen at gmail dot com
Browser autofilled the title an old bug report
 [2021-05-24 09:40 UTC] pvandommelen at gmail dot com
The following pull request has been associated:

Patch Name: Fix #81070: Integer underflow when memory limit is exceeded
On GitHub:  https://github.com/php/php-src/pull/7040
Patch:      https://github.com/php/php-src/pull/7040.patch
 [2021-05-31 13:25 UTC] git@php.net
Automatic comment on behalf of pvandommelen (author) and nikic (committer)
Revision: https://github.com/php/php-src/commit/1b3b5c94e52d10eb7a3f69b486a51b3f4d214d4f
Log: Fixed bug #81070
 [2021-05-31 13:25 UTC] git@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 11:01:30 2024 UTC