php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30153 FATAL erealloc() error when using gzinflate()
Submitted: 2004-09-19 16:17 UTC Modified: 2009-05-27 01:00 UTC
Votes:9
Avg. Score:5.0 ± 0.0
Reproduced:9 of 9 (100.0%)
Same Version:4 (44.4%)
Same OS:6 (66.7%)
From: OvdSpek at LIACS dot NL Assigned: rasmus (profile)
Status: No Feedback Package: Zlib related
PHP Version: 6CVS, 5CVS, 4CVS OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: OvdSpek at LIACS dot NL
New email:
PHP Version: OS:

 

 [2004-09-19 16:17 UTC] OvdSpek at LIACS dot NL
Description:
------------
The following PHP script appears to cause a full crash/restart of my Apache/2.0.50 (Win32) PHP/4.3.9RC3 Server at localhost Port 80 server on Windows XP.

http://213.46.64.114/temp/php_crash.bin
http://62.216.18.38/temp/php_crash.bin


Reproduce code:
---------------
<?php
	$s = file_get_contents('f:/temp/php_crash.bin');
	gzinflate(substr($s, 10));
?>


Expected result:
----------------
No errors.

Actual result:
--------------
FATAL:  erealloc():  Unable to allocate 603602944 bytes
[Sun Sep 19 16:11:16 2004] [notice] Parent: child process exited with status 1 -- Restarting.
[Sun Sep 19 16:11:16 2004] [notice] Parent: Created child process 3908
[Sun Sep 19 16:11:16 2004] [notice] Child 3908: Child process is running
[Sun Sep 19 16:11:16 2004] [notice] Child 3908: Acquired the start mutex.
[Sun Sep 19 16:11:16 2004] [notice] Child 3908: Starting 250 worker threads.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-09-30 23:39 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Decompressing the specified file with non-php tools tells me that the data is corrupt. As far as the error itself, according to the gzip library return statuses the file's compression exceeds that of 1 to 32768 which is defined as upper limit. So this sort of behaviour is expected. PHP cannot terminate nicely since the data size * 32768 still tries to make PHP allocate too much memory, which results in graceful request termination.
 [2004-10-01 11:06 UTC] OvdSpek at LIACS dot NL
But /php4/ext/zlib/zlib.c is your code right? Not the code from the zlib authors?
The bug isn't in zlib owned code, it's in php owned code, and that's your code.

This code indeed expects to get NULL if erealloc fails.
Is there a flag for erealloc or function to use that doesn't 'cause an exception' and instead just returns NULL?

s2 = (char *) erealloc(s1,length);
if(! s2) { if(s1) efree(s1); RETURN_FALSE; }
 [2004-10-01 11:17 UTC] OvdSpek at LIACS dot NL
> which results in graceful request termination.

Is a call to exit() graceful request termination?
In my opinion, that's just killing the entire process.
And in the case of a multi-threaded server, that's equivalent to killing the entire server.

BTW, erealloc has an allow_failure parameter. How about passing true at /php4/ext/zlib/zlib.c:628?

ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 [2004-10-01 11:19 UTC] derick@php.net
No, emalloc() and friends abort in case of a memory overflow, Checking for the return value does not make any sense.
 [2004-10-01 11:21 UTC] OvdSpek at LIACS dot NL
So what does the allow_failure parameter do?
 [2004-10-01 11:38 UTC] OvdSpek at LIACS dot NL
And why are there no 'friends' that do not abort?
 [2004-10-01 12:07 UTC] derick@php.net
This is not a support forum, there is no bug here. Stop reopening it.
 [2004-10-01 12:42 UTC] OvdSpek at LIACS dot NL
Why is this not considered a bug?
Any user would classify this solveable 'thing' as a bug.
 [2005-09-28 05:31 UTC] rasmus@php.net
It is a problem.  Marking it suspended instead.  The solution is non-trivial.  If you have one, please let us know.
 [2007-05-30 04:54 UTC] itsmeaf at gmail dot com
I got this when i used a variable and an array together. Using Win2000 server & IIS w/ php 5
eg code
<?
<-- mysql query and result here -->

$file = substr($data[0],0,strrpos($data[0],'-'));
				
<-- mysql query and result here -->

$file[$data[1]] = substr($data[0],0,strrpos($data[0],'.')) . "-$s_fol-rej.csv";

?>

When I changed the first occurance of the var "$file" to "$real_file" the bug vanished.
 [2009-05-19 10:31 UTC] design at intermost dot ru
Latest version (5.2.9) / windows... this bug still shutting down WHOLE thread. Also i'm considering this as bug too.
 [2009-05-19 10:40 UTC] lbarnaud@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2009-05-27 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 29 17:01:31 2024 UTC