PHP :: Bug #73928 :: __zend_realloc doesn't respect len=0

Bug #73928	__zend_realloc doesn't respect len=0
Submitted:	2017-01-13 23:53 UTC	Modified:	2020-10-19 16:01 UTC
From:	dev at pp3345 dot net	Assigned:	cmb (profile)
Status:	Duplicate	Package:	Reproducible crash
PHP Version:	7.1.0	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	dev at pp3345 dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-01-13 23:53 UTC] dev at pp3345 dot net

Description:
------------
According to `man realloc`, realloc() may return NULL if a valid pointer and size=0 is passed, e. g. realloc(<ptr>, 0) is the same as free(<ptr>). However, __zend_realloc always interprets NULL as OOM and therefore bails out when trying to reallocate a pointer to size 0. For example, mysqlnd sometimes calls erealloc(<ptr>, 0), which will crash PHP when running with USE_ZEND_ALLOC=0.

From zend_alloc.c, lines 2834 - 2841:
ZEND_API void * __zend_realloc(void *p, size_t len)
{
	p = realloc(p, len);
	if (EXPECTED(p)) {
		return p;
	}
	zend_out_of_memory();
}

It should probably be something like if (EXPECTED(p) || !len).

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-14 18:00 UTC] cmb@php.net

This appears to be related to bug #73370 (might even be a duplicate).

[2017-01-14 18:29 UTC] dev at pp3345 dot net

Oh, didn't see that one, sorry for that. Actually, the behavior I described in my initial post is compliant to C89 (according to http://port70.net/~nsz/c/c89/c89-draft.html#4.10.3.4) and C99. It seems that realloc(<ptr>, 0) is undefined/implementation-dependent as of C11. Since PHP is written in C89 and there obviously is code in PHP that actually depends on this behavior, I think it would be the best option to comply with C89 and interpret realloc(<ptr>, 0) as free(<ptr>), thus adding checks for len=0.

[2020-10-19 16:01 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2020-10-19 16:01 UTC] cmb@php.net

Well, actually this is duplicate of bug #73370.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Apr 01 21:01:28 2025 UTC