PHP :: Bug #61058 :: array_fill leaks if start index is PHP_INT

Bug #61058	array_fill leaks if start index is PHP_INT_MAX
Submitted:	2012-02-11 19:51 UTC	Modified:	2012-03-02 03:41 UTC
From:	nikic@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2012-02-11 19:51 UTC] nikic@php.net

Description:
------------
<?php array_fill(PHP_INT_MAX, 2, '*')

Leaks:


[Sat Feb 11 20:47:35 2012]  Script:  'reproduceCode4_memoryLeak.php'
/home/nikic/dev/php-src-git/Zend/zend_vm_execute.h(2371) :  Freeing 0xB786F010 
(20 bytes), script=reproduceCode4_memoryLeak.php
[Sat Feb 11 20:47:35 2012]  Script:  'reproduceCode4_memoryLeak.php'
/home/nikic/dev/php-src-git/Zend/zend_vm_execute.h(2374) :  Freeing 0xB7870558 
(1 bytes), script=reproduceCode4_memoryLeak.php
/home/nikic/dev/php-src-git/Zend/zend_variables.c(121) : Actual location 
(location was relayed)
=== Total 2 memory leaks detected ===

Reason:

zval_add_ref is called regardless of whether zend_hash_next_index_insert 
succeeds in 
http://lxr.php.net/opengrok/xref/PHP_TRUNK/ext/standard/array.c#1570.

Patches

fill_up_to_possible_while_preventing_leak_61058 (last revision 2012-02-12 05:43 UTC by carloschilazo at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-02-12 04:42 UTC] laruence@php.net

There are lots of functions/codes doesn't check the return value of 
zend_hash_next_index_insert(and other variants of zend_hash_update_**).

So, IMO, there should be some familar issues there. 

if we only focus on this one, a simple patch will be(but I think it's no needed 
to fix this, since this really a intentional behavior :) thanks ):

Index: ext/standard/array.c
===================================================================
--- ext/standard/array.c	(revision 323122)
+++ ext/standard/array.c	(working copy)
@@ -1564,11 +1564,15 @@
 
 	num--;
 	zval_add_ref(&val);
-	zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, 
sizeof(zval *), NULL);
+	if (zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, 
sizeof(zval *), NULL) == FAILURE) {
+		zval_ptr_dtor(&val);
+	}
 
 	while (num--) {
 		zval_add_ref(&val);
-		zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, 
sizeof(zval *), NULL);
+		if (zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, 
sizeof(zval *), NULL) == FAILURE) {
+			zval_ptr_dtor(&val);
+		}
 	}
 }
 /* }}} */

[2012-02-12 04:56 UTC] laruence@php.net

hmm, I think I should fix this, since this was explored :)

[2012-02-12 04:59 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323160
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-02-12 05:01 UTC] laruence@php.net

Fixed in 5.3 , trunk, will close this after I meger this fix to 5.4.

[2012-02-12 05:01 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2012-02-12 05:32 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323161
Log: Improved fix for #61058, and add test script

[2012-03-02 03:40 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323782
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-03-02 03:41 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2012-03-02 03:41 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2012-04-18 09:45 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcb9768f9e7e1989e94350b880305133b064dfb3
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-04-18 09:46 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3d898cfa3f7d801a47dc18fe665081ed738b70da
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-07-24 23:37 UTC] rasmus@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcb9768f9e7e1989e94350b880305133b064dfb3
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-07-24 23:37 UTC] rasmus@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3d898cfa3f7d801a47dc18fe665081ed738b70da
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2013-11-17 09:33 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcb9768f9e7e1989e94350b880305133b064dfb3
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2013-11-17 09:33 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3d898cfa3f7d801a47dc18fe665081ed738b70da
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC