php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #63377 Segfault on output buffer > 2GB
Submitted: 2012-10-28 19:59 UTC Modified: 2012-11-30 06:51 UTC
From: miau dot jp at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Output Control
PHP Version: 5.3.18 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: miau dot jp at gmail dot com
New email:
PHP Version: OS:

 

 [2012-10-28 19:59 UTC] miau dot jp at gmail dot com 
Description:
------------
Storing data more than 2GB cause a segmentation fault. This problem seems
occur on implicit use of output buffer, such as print_r($val, true).

I ran the test script with GDB.

----

(gdb) run ob.php
Starting program: /usr/local/php-5.3.18/bin/php ob.php
warning: no loadable sections found in added symbol-file system-supplied DSO at 
0x2aaaaaaab000
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x0000000000597cb3 in php_ob_append (text=0x2aaaae1ae070 'a' <repeats 200 
times>..., text_length=104857600)
    at /usr/local/src/php-5.3.18/main/output.c:616
616             memcpy(target, text, text_length);
(gdb) l 607,616
607     static inline void php_ob_append(const char *text, uint text_length 
TSRMLS_DC)
608     {
609             char *target;
610             int original_ob_text_length;
611
612             original_ob_text_length=OG(active_ob_buffer).text_length;
613
614             php_ob_allocate(text_length TSRMLS_CC);
615             target = OG(active_ob_buffer).buffer+original_ob_text_length;
616             memcpy(target, text, text_length);
(gdb) p target
$1 = 0x2aaa379ef070 <Address 0x2aaa379ef070 out of bounds>
(gdb) p output_globals.active_ob_buffer.buffer
$2 = 0x2aaab45ef070 'a' <repeats 200 times>...
(gdb) p original_ob_text_length
$3 = -2092957696

original_ob_text_length is wrongly recognized as a negative value and
address of target is less than output_globals.active_ob_buffer.buffer.

Declaring original_ob_text_length as uint will fix this problem.

Test script:
---------------
<?php
ini_set('memory_limit', '3072M');

ob_start();
for ($i = 0; $i < 22; $i++)  {
    echo str_repeat('a', 100 * 1024 * 1024);
}
ob_end_clean();


Expected result:
----------------
# php ob.php
(no error occurs)

Actual result:
--------------
(Since a fatal error sometimes cause ob_flush(), redirecting
STDOUT is preferable.)
# php ob.php > /dev/null
Segmentation fault

Patches

ob.patch (last revision 2012-10-28 20:00 UTC by miau dot jp at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-28 20:12 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: mhjack
 [2012-10-28 20:12 UTC] felipe@php.net
-Assigned To: mhjack +Assigned To: mike
 [2012-11-30 06:48 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2012-11-30 06:48 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2012-11-30 06:49 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2012-11-30 06:49 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2012-11-30 06:50 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2012-11-30 06:51 UTC] laruence@php.net
-Assigned To: mike +Assigned To: laruence
 [2012-11-30 06:51 UTC] laruence@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-12-19 17:55 UTC] derick@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2014-10-07 23:21 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2014-10-07 23:32 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 31 07:00:01 2025 UTC