php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27674 getimagesize eat up hundreds of memory, can't do with a good swf
Submitted: 2004-03-24 10:12 UTC Modified: 2004-04-09 12:37 UTC
From: xuefer at 21cn dot com Assigned:
Status: Not a bug Package: GetImageSize related
PHP Version: 4.3.5 OS: *
Private report: No CVE-ID: None
 [2004-03-24 10:12 UTC] xuefer at 21cn dot com
Description:
------------
file at: http://games.oursky.net:81/125-bad.swf (file will be removed when this bug is closed)
eat up >400MB memory(or page file)

pls fix it before 4.3.5 is out.

Reproduce code:
---------------
wget http://games.oursky.net:81/125-bad.swf
php -r 'getimagesize("125-bad.swf")';



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-03-25 10:28 UTC] iliaa@php.net
With PHP 4.3.5 I get a return value of false instantly and 
no large memory allocation problems you describe. 
 [2004-03-26 09:11 UTC] xuefer at 21cn dot com
more detail:

under xp
it eat more and more memory

under linux cli:
$ php -r "getimagesize('./125-bad.swf');"
FATAL:  erealloc():  Unable to allocate -2011570176 bytes

under linux apache: it crash
 [2004-03-26 09:59 UTC] xuefer at 21cn dot com
the above test verified for php4.3.5

phpinfo() under linux:
zlib
ZLib Support => enabled
Compiled Version => 1.1.4
Linked Version => 1.1.4

but when i compile cvs version of php5, it just works
./configure --disable-all --disable-cgi
make
./sapi/cli/php -r 'var_dump(getimagesize("125-bad.swf"));'
outputs: bool(false)
 [2004-03-26 13:45 UTC] iliaa@php.net
Both PHP4 (4.3.5) and PHP5 CVS return false with the given 
file. 
 [2004-03-26 22:09 UTC] xuefer at 21cn dot com
this bug may be "can't reproduce" not "closed"

this is the "fix" with testing code
Index: ext/standard/image.c
===================================================================
RCS file: /repository/php-src/ext/standard/image.c,v
retrieving revision 1.72.2.13
diff -u -r1.72.2.13 image.c
--- ext/standard/image.c        12 Nov 2003 22:56:09 -0000      1.72.2.13
+++ ext/standard/image.c        27 Mar 2004 03:11:00 -0000
@@ -196,8 +196,8 @@
 
        long bits;
        unsigned char a[64];
-       unsigned long len=64, szlength;
-       int factor=1,maxfactor=16;
+       unsigned long len=64, szlength, maxlength = 50*1024*1024;
+       int factor=1,maxfactor=8;
        int slength, status=0;
        char *b, *buf=NULL, *bufz=NULL;
 
@@ -226,8 +226,13 @@
                
                do {
                        szlength=slength*(1<<factor++);
+                       if (szlength > maxlength) {
+                               break;
+                       }
+                       printf("szlength: %d\n", szlength);
                        buf = (char *) erealloc(buf,szlength);
                        status = uncompress(buf, &szlength, bufz, slength);
+                       printf("status: %d\n", (int) (status == Z_BUF_ERROR));
                } while ((status==Z_BUF_ERROR)&&(factor<maxfactor));
                
                if (bufz) {



$ make && ./sapi/cli/php -r "var_dump(getimagesize('125-bad.swf'));"

Build complete.
(It is safe to ignore warnings about tempnam and tmpnam).

szlength: 2229880
status: 1
szlength: 4459760
status: 1
szlength: 8919520
status: 1
szlength: 17839040
status: 1
szlength: 35678080
status: 1
bool(false)
 [2004-03-27 05:58 UTC] helly@php.net
Where does the 50MByte const come from, a guess?
 [2004-03-27 06:16 UTC] xuefer at 21cn dot com
yes, just a guess
because no matter how much memory it alloc, uncompress() just return Z_BUF_ERROR

i don't know why this swf is bad, it plays ok in stand alone flashplayer and ie browser

by the way, when i test it with a "good" swf, the part of erealloc() don't even executed. In another word, the first uncompress:
    if (uncompress(b, &len, a, sizeof(a)) != Z_OK) {
is Z_OK
 [2004-04-09 04:00 UTC] xuefer at 21cn dot com
reoped and updated changed
cos 125-bad.swf is really "fine playing in flashplayer" swf
 [2004-04-09 12:37 UTC] sniper@php.net
The flash file you provided is corrupted, here's same file, uncorrupted which works fine:

http://www.miniclip.com/gamefiles0304/bushshootout_game.swf
 [2004-07-20 07:33 UTC] spam at vano dot org
I have the same problem on RH9 + Apache 2.0.49 + PHP5.0.0
on some (all) .swf files getimagesize() function crashes the Apache2.
in the error log it sais:

FATAL:  erealloc():  Unable to allocate -2067465216 bytes

PHP compilled with:

./configure --prefix=/php5 --with-config-file-path=/php5 --with-apxs2=/apache2/bin/apxs --with-mod_charset --enable-embed --with-zlib --enable-dbx --enable-dio --enable-exif --enable-ftp --with-iconv --with-gdbm --with-gmp --with-ncurses --with-mcrypt --with-crypt --with-gd=/usr/local --with-freetype-dir=/usr/lib --with-gif-dir=/usr/local --enable-gd-native-ttf --with-ttf --with-gettext --with-zip=/usr/lib --enable-calendar --enable-mbstring --with-kerberos --with-mysql --with-mysql-sock=/var/lib/mysql/mysql.sock --enable-sockets --with-pear --enable-shared=all
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC