php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #63377 Segfault on output buffer > 2GB
Submitted: 2012-10-28 19:59 UTC Modified: 2012-11-30 06:51 UTC
From: miau dot jp at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Output Control
PHP Version: 5.3.18 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: miau dot jp at gmail dot com
New email:
PHP Version: OS:

 

 [2012-10-28 19:59 UTC] miau dot jp at gmail dot com 
Description:
------------
Storing data more than 2GB cause a segmentation fault. This problem seems
occur on implicit use of output buffer, such as print_r($val, true).

I ran the test script with GDB.

----

(gdb) run ob.php
Starting program: /usr/local/php-5.3.18/bin/php ob.php
warning: no loadable sections found in added symbol-file system-supplied DSO at 
0x2aaaaaaab000
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x0000000000597cb3 in php_ob_append (text=0x2aaaae1ae070 'a' <repeats 200 
times>..., text_length=104857600)
    at /usr/local/src/php-5.3.18/main/output.c:616
616             memcpy(target, text, text_length);
(gdb) l 607,616
607     static inline void php_ob_append(const char *text, uint text_length 
TSRMLS_DC)
608     {
609             char *target;
610             int original_ob_text_length;
611
612             original_ob_text_length=OG(active_ob_buffer).text_length;
613
614             php_ob_allocate(text_length TSRMLS_CC);
615             target = OG(active_ob_buffer).buffer+original_ob_text_length;
616             memcpy(target, text, text_length);
(gdb) p target
$1 = 0x2aaa379ef070 <Address 0x2aaa379ef070 out of bounds>
(gdb) p output_globals.active_ob_buffer.buffer
$2 = 0x2aaab45ef070 'a' <repeats 200 times>...
(gdb) p original_ob_text_length
$3 = -2092957696

original_ob_text_length is wrongly recognized as a negative value and
address of target is less than output_globals.active_ob_buffer.buffer.

Declaring original_ob_text_length as uint will fix this problem.

Test script:
---------------
<?php
ini_set('memory_limit', '3072M');

ob_start();
for ($i = 0; $i < 22; $i++)  {
    echo str_repeat('a', 100 * 1024 * 1024);
}
ob_end_clean();


Expected result:
----------------
# php ob.php
(no error occurs)

Actual result:
--------------
(Since a fatal error sometimes cause ob_flush(), redirecting
STDOUT is preferable.)
# php ob.php > /dev/null
Segmentation fault

Patches

ob.patch (last revision 2012-10-28 20:00 UTC by miau dot jp at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-28 20:12 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: mhjack
 [2012-10-28 20:12 UTC] felipe@php.net
-Assigned To: mhjack +Assigned To: mike
 [2012-11-30 06:48 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2012-11-30 06:48 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2012-11-30 06:49 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2012-11-30 06:49 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2012-11-30 06:50 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2012-11-30 06:51 UTC] laruence@php.net
-Assigned To: mike +Assigned To: laruence
 [2012-11-30 06:51 UTC] laruence@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-12-19 17:55 UTC] derick@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2014-10-07 23:21 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 [2014-10-07 23:32 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2
Log: Fixed bug #63377 (Segfault on output buffer)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 16:01:33 2024 UTC