PHP :: Bug #61273 :: call_user_func_array with more than 16333 arguments leaks / crashes

Bug #61273	call_user_func_array with more than 16333 arguments leaks / crashes
Submitted:	2012-03-04 15:24 UTC	Modified:	2012-03-11 15:29 UTC
From:	nikic@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.4SVN-2012-03-04 (SVN)	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-03-04 15:24 UTC] nikic@php.net

Description:
------------
The following code:

call_user_func_array(function(&$a) {}, $array = array_fill(0, 16334, "*"));

Produces this output:

Warning: Parameter 1 to {closure}() expected to be a reference, value given in Command line code on line 1
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(832) :  Freeing 0xB72FC03C (36 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(412) : Actual location (location was relayed)
Last leak repeated 16333 times
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(376) :  Freeing 0xB744103C (65536 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_alloc.c(2529) : Actual location (location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_API.c(315) :  Freeing 0xB74C0D50 (44 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(134) : Actual location (location was relayed)
Last leak repeated 1 time
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(6788) :  Freeing 0xB78560A8 (20 bytes), script=-
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2378) :  Freeing 0xB7857380 (2 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(121) : Actual location (location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2375) :  Freeing 0xB7858360 (20 bytes), script=-
=== Total 16340 memory leaks detected ===

If you do some more stuff after the call PHP will eventually segfault.

This only happens if the *first* argument of the callback is by-ref and only happens after a certain number of arguments (for me it starts with 16334). That's why I guess that this has something to do with http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#862 (i == 0 => branch not entered) and http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#851 (as it is only for large argument numbers).

Patches

call_user_func_array.patch (last revision 2012-03-04 16:00 UTC by nikic@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-03-04 15:33 UTC] nikic@php.net

Just checked with gdb and it seems that this indeed only happens if the stack is resized.

[2012-03-04 15:53 UTC] nikic@php.net

The issue is indeed the if(i). Commenting it out fixes the problem.

[2012-03-04 16:00 UTC] nikic@php.net

The following patch has been added/updated:

Patch Name: call_user_func_array.patch
Revision:   1330876827
URL:        https://bugs.php.net/patch-display.php?bug=61273&patch=call_user_func_array.patch&revision=1330876827

[2012-03-04 17:44 UTC] pajoye@php.net

Can you take a look please?

[2012-03-04 17:44 UTC] pajoye@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2012-03-11 15:28 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=324108
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)

[2012-03-11 15:29 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2012-03-11 15:29 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2012-04-18 09:45 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a38ffd57051954d2081f13f3db9e024465aa15b3
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)

[2012-07-24 23:36 UTC] rasmus@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a38ffd57051954d2081f13f3db9e024465aa15b3
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)

[2013-11-17 09:33 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a38ffd57051954d2081f13f3db9e024465aa15b3
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC