PHP :: Bug #41430 :: Fatal error with negative values of maxlen parameter of file_get

Bug #41430	Fatal error with negative values of maxlen parameter of file_get_contents()
Submitted:	2007-05-18 11:30 UTC	Modified:	2007-05-21 09:39 UTC
From:	nikhil dot gupta at in dot ibm dot com	Assigned:
Status:	Closed	Package:	Filesystem function related
PHP Version:	5CVS-2007-05-18 (snap)	OS:	LINUX, Win32-xp
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikhil dot gupta at in dot ibm dot com
New email:
PHP Version:		OS:

New Comment:

[2007-05-18 11:30 UTC] nikhil dot gupta at in dot ibm dot com

Description:
------------
Fatal error is generated when the parameter "maxlen" of file_get_contents() is provided with value < -1. This behaviour is on PHP5 as well as on PHP6 on win32-xp and Linux.


Suggested Fix:
file : ext/standard/file.c
  function: file_get_content()
  Code :  This code snipped should be added just after parsing the input parameters.

    if ( maxlen < -1) {
       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maxlen parameter must be greater than or equal to 0");
       RETURN_FALSE;
    }

Explanation for the warning message in the suggested fix:
The maxlen is being checked for < -1 and not < 0 because, maxlen is initialized to  PHP_STREAM_COPY_ALL (i.e -1 ). The -1 mean that entire file will be read. default value -1 of maxlen is not documented in the php doc ,so user getting the warning message saying "Maxlen parameter must be greater than or equal to 0" is valid.


Reproduce code:
---------------
<?php
file_put_contents("datafile.txt", "abcdef");
var_dump(file_get_contents("datafile.txt", FALSE, NULL, 0, -1) );
var_dump(file_get_contents("datafile.txt", FALSE, NULL, 0, -5) );
?>

Expected result:
----------------
FATAL error is not expected. The negative value of maxlen should be handled with proper warning message.

Actual result:
--------------
string(6) "abcdef"
PHP Fatal error:  Out of memory (allocated 262144) (tried to allocate -4 bytes)
in C:\My_PROJECTS\PHP\workdir\binaries\php5\latest\tmp.php on line 4

BACKTRACE:

(gdb) bt
#0  zend_mm_safe_error (heap=0x83ec1e8, format=0x83b751c "Out of memory (allocated %ld) at %s:%d (tried to allocate %ld bytes)", limit=262144,filename=0x83a2a48 "/home/nikhil/workdir/php5/php5.2-200705150430/main/streams/streams.c", lineno=1234, size=4294967292)
at /home/nikhil/workdir/php5/php5.2-20705150430/Zend/zend_alloc.c:1616
#1  0x0828895e in _zend_mm_alloc_int (heap=0x83ec1e8,size=4294967292,
    __zend_filename=0x83a2a48 "/home/nikhil/workdir/php5/php5.2-200705150430/main/streams/streams.c", __zend_lineno=1234,
    __zend_orig_filename=0x838f1c4 "/home/nikhil/workdir/php5/php5.2-200705150430/ext/standard/file.c", __zend_orig_lineno=555)
    at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_alloc.c:1815
#2  0x082899b2 in _emalloc (size=4294967292, __zend_filename=0x83a2a48 "/home/nikhil/workdir/php5/php5.2-200705150430/main/streams/streams.c", __zend_lineno=1234, __zend_orig_filename=0x838f1c4 "/home/nikhil/workdir/php5/php5.2-200705150430/ext/standard/file.c", __zend_orig_lineno=555)at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_alloc.c:2243
#3  0x0826df2b in _php_stream_copy_to_mem (src=0xb7fb30f0, buf=0xbfffd188, maxlen=4294967291, persistent=0, __php_stream_call_depth=0,
    __zend_filename=0x838f1c4 "/home/nikhil/workdir/php5/php5.2-200705150430/ext/standard/file.c", __zend_lineno=555, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /home/nikhil/workdir/php5/php5.2-200705150430/main/streams/streams.c:1234
#4  0x081f1daf in zif_file_get_contents (ht=5, return_value=0xb7fb2b94, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/nikhil/workdir/php5/php5.2-200705150430/ext/standard/file.c:555
#5  0x082c2ae1 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffd380) at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_vm_execute.h:200
#6  0x082c753a in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffd380) at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_vm_execute.h:1681
#7  0x082c26f6 in execute (op_array=0xb7fb1c88) at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_vm_execute.h:92
#8  0x082a31f2 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend.c:1134
#9  0x0825bbd9 in php_execute_script (primary_file=0xbffff740) at /home/nikhil/workdir/php5/php5.2-200705150430/main/main.c:1794
#10 0x08308ef9 in main (argc=2, argv=0xbffff814) at /home/nikhil/workdir/php5/php5.2-200705150430/sapi/cli/php_cli.c:1138

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-05-18 12:07 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2007-05-21 07:16 UTC] nikhil dot gupta at in dot ibm dot com

Thanks for the fix!

Now I see that for maxlen=-1 also, the warning message is displayed (earlier it behaved same as maxlen=0 without warning message) which according to me is perfectly fine now.
But same question arises for offset parameter values handling also. When offset value is <=-1, it behaves same as offset=0 and there is no warning message displayed for offset to be greater than or equal to zero as displayed for maxlen after the fix for this bug.

I think for negative values (<=-1) of offset parameter also , the warning message like :
"offset must be greater than or equal to zero" should be displayed.

[2007-05-21 09:01 UTC] tony2001@php.net

>I think for negative values (<=-1) of offset parameter also , the
>warning message like "offset must be greater than or equal to zero"
>should be displayed.

It is displayed for all values < 0 (when the parameter is specified).

[2007-05-21 09:39 UTC] nikhil dot gupta at in dot ibm dot com

I mean the following:

Testcase:

<?php
file_put_contents("data.txt", "abcdef");
var_dump( file_get_contents("data.txt", FALSE, NULL, -2) );
?>

Actual Output:
string(6) "abcdef"

I was asking whether negative values for offset is acceptable?
I was suggesting to handle the negative offset values with a warning message similar to maxlen rather than output similar to that of offset=0.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC