PHP :: Bug #27674 :: getimagesize eat up hundreds of memory, can't do with a good swf

Bug #27674	getimagesize eat up hundreds of memory, can't do with a good swf
Submitted:	2004-03-24 10:12 UTC	Modified:	2004-04-09 12:37 UTC
From:	xuefer at 21cn dot com	Assigned:
Status:	Not a bug	Package:	GetImageSize related
PHP Version:	4.3.5	OS:	*
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	xuefer at 21cn dot com
New email:
PHP Version:		OS:

New Comment:

[2004-03-24 10:12 UTC] xuefer at 21cn dot com

Description:
------------
file at: http://games.oursky.net:81/125-bad.swf (file will be removed when this bug is closed)
eat up >400MB memory(or page file)

pls fix it before 4.3.5 is out.

Reproduce code:
---------------
wget http://games.oursky.net:81/125-bad.swf
php -r 'getimagesize("125-bad.swf")';

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-03-25 10:28 UTC] iliaa@php.net

With PHP 4.3.5 I get a return value of false instantly and 
no large memory allocation problems you describe.

[2004-03-26 09:11 UTC] xuefer at 21cn dot com

more detail:

under xp
it eat more and more memory

under linux cli:
$ php -r "getimagesize('./125-bad.swf');"
FATAL:  erealloc():  Unable to allocate -2011570176 bytes

under linux apache: it crash

[2004-03-26 09:59 UTC] xuefer at 21cn dot com

the above test verified for php4.3.5

phpinfo() under linux:
zlib
ZLib Support => enabled
Compiled Version => 1.1.4
Linked Version => 1.1.4

but when i compile cvs version of php5, it just works
./configure --disable-all --disable-cgi
make
./sapi/cli/php -r 'var_dump(getimagesize("125-bad.swf"));'
outputs: bool(false)

[2004-03-26 13:45 UTC] iliaa@php.net

Both PHP4 (4.3.5) and PHP5 CVS return false with the given 
file.

[2004-03-26 22:09 UTC] xuefer at 21cn dot com

this bug may be "can't reproduce" not "closed"

this is the "fix" with testing code
Index: ext/standard/image.c
===================================================================
RCS file: /repository/php-src/ext/standard/image.c,v
retrieving revision 1.72.2.13
diff -u -r1.72.2.13 image.c
--- ext/standard/image.c        12 Nov 2003 22:56:09 -0000      1.72.2.13
+++ ext/standard/image.c        27 Mar 2004 03:11:00 -0000
@@ -196,8 +196,8 @@
 
        long bits;
        unsigned char a[64];
-       unsigned long len=64, szlength;
-       int factor=1,maxfactor=16;
+       unsigned long len=64, szlength, maxlength = 50*1024*1024;
+       int factor=1,maxfactor=8;
        int slength, status=0;
        char *b, *buf=NULL, *bufz=NULL;
 
@@ -226,8 +226,13 @@
                
                do {
                        szlength=slength*(1<<factor++);
+                       if (szlength > maxlength) {
+                               break;
+                       }
+                       printf("szlength: %d\n", szlength);
                        buf = (char *) erealloc(buf,szlength);
                        status = uncompress(buf, &szlength, bufz, slength);
+                       printf("status: %d\n", (int) (status == Z_BUF_ERROR));
                } while ((status==Z_BUF_ERROR)&&(factor<maxfactor));
                
                if (bufz) {



$ make && ./sapi/cli/php -r "var_dump(getimagesize('125-bad.swf'));"

Build complete.
(It is safe to ignore warnings about tempnam and tmpnam).

szlength: 2229880
status: 1
szlength: 4459760
status: 1
szlength: 8919520
status: 1
szlength: 17839040
status: 1
szlength: 35678080
status: 1
bool(false)

[2004-03-27 05:58 UTC] helly@php.net

Where does the 50MByte const come from, a guess?

[2004-03-27 06:16 UTC] xuefer at 21cn dot com

yes, just a guess
because no matter how much memory it alloc, uncompress() just return Z_BUF_ERROR

i don't know why this swf is bad, it plays ok in stand alone flashplayer and ie browser

by the way, when i test it with a "good" swf, the part of erealloc() don't even executed. In another word, the first uncompress:
    if (uncompress(b, &len, a, sizeof(a)) != Z_OK) {
is Z_OK

[2004-04-09 04:00 UTC] xuefer at 21cn dot com

reoped and updated changed
cos 125-bad.swf is really "fine playing in flashplayer" swf

[2004-04-09 12:37 UTC] sniper@php.net

The flash file you provided is corrupted, here's same file, uncorrupted which works fine:

http://www.miniclip.com/gamefiles0304/bushshootout_game.swf

[2004-07-20 07:33 UTC] spam at vano dot org

I have the same problem on RH9 + Apache 2.0.49 + PHP5.0.0
on some (all) .swf files getimagesize() function crashes the Apache2.
in the error log it sais:

FATAL:  erealloc():  Unable to allocate -2067465216 bytes

PHP compilled with:

./configure --prefix=/php5 --with-config-file-path=/php5 --with-apxs2=/apache2/bin/apxs --with-mod_charset --enable-embed --with-zlib --enable-dbx --enable-dio --enable-exif --enable-ftp --with-iconv --with-gdbm --with-gmp --with-ncurses --with-mcrypt --with-crypt --with-gd=/usr/local --with-freetype-dir=/usr/lib --with-gif-dir=/usr/local --enable-gd-native-ttf --with-ttf --with-gettext --with-zip=/usr/lib --enable-calendar --enable-mbstring --with-kerberos --with-mysql --with-mysql-sock=/var/lib/mysql/mysql.sock --enable-sockets --with-pear --enable-shared=all

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 06:01:28 2024 UTC