PHP :: Bug #61273 :: call_user_func_array with more than 16333 arguments leaks / crashes

Bug #61273	call_user_func_array with more than 16333 arguments leaks / crashes
Submitted:	2012-03-04 15:24 UTC	Modified:	2012-03-11 15:29 UTC
From:	nikic@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.4SVN-2012-03-04 (SVN)	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2012-03-04 15:24 UTC] nikic@php.net

Description:
------------
The following code:

call_user_func_array(function(&$a) {}, $array = array_fill(0, 16334, "*"));

Produces this output:

Warning: Parameter 1 to {closure}() expected to be a reference, value given in Command line code on line 1
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(832) :  Freeing 0xB72FC03C (36 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(412) : Actual location (location was relayed)
Last leak repeated 16333 times
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(376) :  Freeing 0xB744103C (65536 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_alloc.c(2529) : Actual location (location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_API.c(315) :  Freeing 0xB74C0D50 (44 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(134) : Actual location (location was relayed)
Last leak repeated 1 time
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(6788) :  Freeing 0xB78560A8 (20 bytes), script=-
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2378) :  Freeing 0xB7857380 (2 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(121) : Actual location (location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2375) :  Freeing 0xB7858360 (20 bytes), script=-
=== Total 16340 memory leaks detected ===

If you do some more stuff after the call PHP will eventually segfault.

This only happens if the *first* argument of the callback is by-ref and only happens after a certain number of arguments (for me it starts with 16334). That's why I guess that this has something to do with http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#862 (i == 0 => branch not entered) and http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#851 (as it is only for large argument numbers).

Patches

call_user_func_array.patch (last revision 2012-03-04 16:00 UTC by nikic@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-03-04 15:33 UTC] nikic@php.net

Just checked with gdb and it seems that this indeed only happens if the stack is resized.

[2012-03-04 15:53 UTC] nikic@php.net

The issue is indeed the if(i). Commenting it out fixes the problem.

[2012-03-04 16:00 UTC] nikic@php.net

The following patch has been added/updated:

Patch Name: call_user_func_array.patch
Revision:   1330876827
URL:        https://bugs.php.net/patch-display.php?bug=61273&patch=call_user_func_array.patch&revision=1330876827

[2012-03-04 17:44 UTC] pajoye@php.net

Can you take a look please?

[2012-03-04 17:44 UTC] pajoye@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2012-03-11 15:28 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=324108
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)

[2012-03-11 15:29 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2012-03-11 15:29 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2012-04-18 09:45 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a38ffd57051954d2081f13f3db9e024465aa15b3
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)

[2012-07-24 23:36 UTC] rasmus@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a38ffd57051954d2081f13f3db9e024465aa15b3
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)

[2013-11-17 09:33 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a38ffd57051954d2081f13f3db9e024465aa15b3
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 04:00:01 2025 UTC