|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32508 ob_gzhandler w/ chunking can crash Apache 2
Submitted: 2005-03-30 22:38 UTC Modified: 2005-09-07 01:00 UTC
Avg. Score:4.2 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:2 (40.0%)
From: myronwu at gmail dot com Assigned:
Status: No Feedback Package: Output Control
PHP Version: 5CVS, 4CVS (2005-03-31) OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-03-30 22:38 UTC] myronwu at gmail dot com
In certain browsers, attempting to output data before a 
call to ob_start('ob_gzhandler', chunk_size) causes 
Apache 2 to consume huge (all) amounts of memory.  This 
only occurs when chunking takes place (ie size of data 
output > chunk_size).

Outputting data before a call to ob_start without a 
chunk_size or without 'ob_gzhandler' works as expected.

Browsers tested that were affected:  Firefox, Opera
Browsers tested that were unaffected:  Links

Diff between php.ini and php.ini-dist:
register_globals = On

Apache version:
Apache/2.0.53 (Unix) mod_ssl/2.0.53 OpenSSL/0.9.7a PHP/

using prefork mpm.

Zlib version: 1.1.4

PHP configure command:

'./configure' '--with-mysqli=/usr/local/mysql/bin/
mysql_config' '--with-mysql=/usr/local/mysql' '--with-
apache2=/usr/src/apache/httpd-2.0.53' '--enable-yp' '--
enable-track-vars' '--with-zlib' '--with-jpeg' '--with-
png' '--with-tiff' '--with-pdflib' '--with-gd' '--with-
apxs2=/var/www/bin/apxs' '--with-gettext' '--with-

This was also reproduced on another box with the same 
versions of Apache 2, zlib, but PHP 4.3.1 with configure 

'./configure' '--with-mysql=/usr/local/mysql' '--with-
apache2=/usr/src/httpd-2.0.46' '--enable-yp' '--enable-
track-vars' '--with-zlib-dir=/usr/local/lib' '--with-
jpeg-dir=/usr/local/lib' '--with-png-dir=/usr/local/lib' 
'--with-tiff-dir=/usr/local/lib' '--with-pdflib' '--
with-gd=yes' '--with-apxs2=/var/www/bin/apxs'

Reproduce code:

echo 'test!';
ob_start('ob_gzhandler', 2048);


Expected result:
test! (phpinfo() output)

Actual result:
Nothing.  The browser doesn't receive any information to 
display and httpd begins to consume all available 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-31 02:15 UTC] myronwu at gmail dot com
Reconfirmed the bug using the reproduce code on CVS snapshot php5-STABLE-200503302230, configure command:

'./configure' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-mysql=/usr/local/mysql' '--with-apache2=/usr/src/apache/httpd-2.0.53' '--enable-yp' '--enable-track-vars' '--with-zlib' '--with-jpeg' '--with-png' '--with-tiff' '--with-pdflib' '--with-gd' '--with-apxs2=/var/www/bin/apxs' '--with-gettext' '--with-pspell'

Otherwise same setup as reported above.
 [2005-03-31 08:20 UTC]
Does it only happen when you have phpinfo() in there?
(I'd put something else between there..)

Also, try doing ./configure --help sometimes. You have several options used that don't even exist. Like --enable-track-vars, --with-apache2..

 [2005-03-31 08:33 UTC] myronwu at gmail dot com
Sorry, it's my sysadmin that set up those 
configure variables....

Anyway, we used phpinfo() for example code because it 
outputs something larger than the example chunk size I 
was using of 2048 bytes.  I could manually write out 
more than 2048, but that probably wouldn't be as concise 
for bug reporting.

The problem we have specifically arises when the 
ob_gzhandler attempts to send out chunks.
 [2005-03-31 09:34 UTC]
You can always make the chunk size smaller than 2048?
Or doesn't this problem occur then?

 [2005-03-31 19:22 UTC] myronwu at gmail dot com
Pretty convinced this occurs whenever chunking occurs, 
irrespective of what the chunk size is.  Setting it to 
something silly like 1 also has the same problem, for 

I also confirmed again the same behaviour on a Mac OS X 
(10.3.8) machine, with its default php 4.3.10 setup over 
Apache 1.3.33, zlib 1.1.4.  Configure command is just 
what's default on os x, but if you don't have an os x 
machine handy, it's:

configure' '--prefix=/usr' '--mandir=/usr/share/man' '--
infodir=/usr/share/info' '--with-apxs' '--with-ldap=/
usr' '--with-kerberos=/usr' '--enable-cli' '--with-zlib-
dir=/usr' '--enable-trans-sid' '--with-xml' '--enable-
exif' '--enable-ftp' '--enable-mbstring' '--enable-
mbregex' '--enable-dbx' '--enable-sockets' '--with-
iodbc=/usr' '--with-curl=/usr' '--with-config-file-
path=/etc' '--sysconfdir=/private/etc'

The php.ini is untouched from defaults.
 [2005-03-31 19:27 UTC] myronwu at gmail dot com
Let me clarify some more, here's some more ob_start 
calls that you can substitute into the reproduce code 

These work OK:

ob_start(null, 2048);
ob_start(null, 1024);

These don't work:

ob_start('ob_gzhandler', 1024);
ob_start('ob_gzhandler', 2048);
ob_start('ob_gzhandler', 1);
 [2005-03-31 21:12 UTC]
Nobody should try this at home. :)
Definately eats all memory and eventually crashes.

Here's what I got in error_log:

PHP Fatal error:  Allowed memory size of 1603177144 bytes exhausted at /usr/src/php/php5/ext/zlib/zlib.c:623 

 [2005-03-31 21:15 UTC]
Also this was there:

PHP Fatal error:  Allowed memory size of 725463920 bytes exhausted at /usr/src/php/php5/main/output.c:229

 [2005-08-30 01:15 UTC]
Please try using this CVS snapshot:
For Windows:

 [2005-09-07 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Mar 04 06:01:30 2024 UTC