php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #32508 ob_gzhandler w/ chunking can crash Apache 2
Submitted: 2005-03-30 22:38 UTC Modified: 2005-09-07 01:00 UTC
Votes:5
Avg. Score:4.2 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:2 (40.0%)
From: myronwu at gmail dot com Assigned:
Status: No Feedback Package: Output Control
PHP Version: 5CVS, 4CVS (2005-03-31) OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2005-03-30 22:38 UTC] myronwu at gmail dot com 
Description:
------------
In certain browsers, attempting to output data before a 
call to ob_start('ob_gzhandler', chunk_size) causes 
Apache 2 to consume huge (all) amounts of memory.  This 
only occurs when chunking takes place (ie size of data 
output > chunk_size).

Outputting data before a call to ob_start without a 
chunk_size or without 'ob_gzhandler' works as expected.

Browsers tested that were affected:  Firefox, Opera
Browsers tested that were unaffected:  Links

Diff between php.ini and php.ini-dist:
register_globals = On

Apache version:
Apache/2.0.53 (Unix) mod_ssl/2.0.53 OpenSSL/0.9.7a PHP/
5.0.3

using prefork mpm.

Zlib version: 1.1.4

PHP configure command:

'./configure' '--with-mysqli=/usr/local/mysql/bin/
mysql_config' '--with-mysql=/usr/local/mysql' '--with-
apache2=/usr/src/apache/httpd-2.0.53' '--enable-yp' '--
enable-track-vars' '--with-zlib' '--with-jpeg' '--with-
png' '--with-tiff' '--with-pdflib' '--with-gd' '--with-
apxs2=/var/www/bin/apxs' '--with-gettext' '--with-
pspell'

This was also reproduced on another box with the same 
versions of Apache 2, zlib, but PHP 4.3.1 with configure 
command:

'./configure' '--with-mysql=/usr/local/mysql' '--with-
apache2=/usr/src/httpd-2.0.46' '--enable-yp' '--enable-
track-vars' '--with-zlib-dir=/usr/local/lib' '--with-
jpeg-dir=/usr/local/lib' '--with-png-dir=/usr/local/lib' 
'--with-tiff-dir=/usr/local/lib' '--with-pdflib' '--
with-gd=yes' '--with-apxs2=/var/www/bin/apxs'

Reproduce code:
---------------
<?php

echo 'test!';
ob_start('ob_gzhandler', 2048);
phpinfo();
ob_end_flush();

?>

Expected result:
----------------
test! (phpinfo() output)

Actual result:
--------------
Nothing.  The browser doesn't receive any information to 
display and httpd begins to consume all available 
memory.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-30 22:44 UTC] tony2001@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip
 [2005-03-31 02:15 UTC] myronwu at gmail dot com 
Reconfirmed the bug using the reproduce code on CVS snapshot php5-STABLE-200503302230, configure command:

'./configure' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-mysql=/usr/local/mysql' '--with-apache2=/usr/src/apache/httpd-2.0.53' '--enable-yp' '--enable-track-vars' '--with-zlib' '--with-jpeg' '--with-png' '--with-tiff' '--with-pdflib' '--with-gd' '--with-apxs2=/var/www/bin/apxs' '--with-gettext' '--with-pspell'

Otherwise same setup as reported above.
 [2005-03-31 08:20 UTC] sniper@php.net 
Does it only happen when you have phpinfo() in there?
(I'd put something else between there..)

Also, try doing ./configure --help sometimes. You have several options used that don't even exist. Like --enable-track-vars, --with-apache2..
 [2005-03-31 08:33 UTC] myronwu at gmail dot com 
Sorry, it's my sysadmin that set up those 
configure variables....

Anyway, we used phpinfo() for example code because it 
outputs something larger than the example chunk size I 
was using of 2048 bytes.  I could manually write out 
more than 2048, but that probably wouldn't be as concise 
for bug reporting.

The problem we have specifically arises when the 
ob_gzhandler attempts to send out chunks.
 [2005-03-31 09:34 UTC] sniper@php.net 
You can always make the chunk size smaller than 2048?
Or doesn't this problem occur then?
 [2005-03-31 19:22 UTC] myronwu at gmail dot com 
Pretty convinced this occurs whenever chunking occurs, 
irrespective of what the chunk size is.  Setting it to 
something silly like 1 also has the same problem, for 
example.

I also confirmed again the same behaviour on a Mac OS X 
(10.3.8) machine, with its default php 4.3.10 setup over 
Apache 1.3.33, zlib 1.1.4.  Configure command is just 
what's default on os x, but if you don't have an os x 
machine handy, it's:

'/SourceCache/apache_mod_php/apache_mod_php-17.5/php/
configure' '--prefix=/usr' '--mandir=/usr/share/man' '--
infodir=/usr/share/info' '--with-apxs' '--with-ldap=/
usr' '--with-kerberos=/usr' '--enable-cli' '--with-zlib-
dir=/usr' '--enable-trans-sid' '--with-xml' '--enable-
exif' '--enable-ftp' '--enable-mbstring' '--enable-
mbregex' '--enable-dbx' '--enable-sockets' '--with-
iodbc=/usr' '--with-curl=/usr' '--with-config-file-
path=/etc' '--sysconfdir=/private/etc'

The php.ini is untouched from defaults.
 [2005-03-31 19:27 UTC] myronwu at gmail dot com 
Let me clarify some more, here's some more ob_start 
calls that you can substitute into the reproduce code 
given:

These work OK:

ob_start();
ob_start(null, 2048);
ob_start(null, 1024);
ob_start('ob_gzhandler');

These don't work:

ob_start('ob_gzhandler', 1024);
ob_start('ob_gzhandler', 2048);
ob_start('ob_gzhandler', 1);
 [2005-03-31 21:12 UTC] sniper@php.net 
Nobody should try this at home. :)
Definately eats all memory and eventually crashes.

Here's what I got in error_log:

PHP Fatal error:  Allowed memory size of 1603177144 bytes exhausted at /usr/src/php/php5/ext/zlib/zlib.c:623
 [2005-03-31 21:15 UTC] sniper@php.net 
Also this was there:

PHP Fatal error:  Allowed memory size of 725463920 bytes exhausted at /usr/src/php/php5/main/output.c:229
 [2005-08-30 01:15 UTC] iliaa@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2005-09-07 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 14:01:32 2024 UTC