PHP :: Bug #33551 :: double free or corruption by 65537 elements in array

Bug #33551	double free or corruption by 65537 elements in array
Submitted:	2005-07-02 20:17 UTC	Modified:	2005-07-02 21:43 UTC
From:	bertrand at toggg dot com	Assigned:
Status:	Not a bug	Package:	Scripting Engine problem
PHP Version:	4CVS-2005-07-02 (stable)	OS:	Linux 2.6.11-1 glibc 2.3.5-0
Private report:	No	CVE-ID:	None

View Developer Edit

[2005-07-02 20:17 UTC] bertrand at toggg dot com

Description:
------------
This script simply augments an array by duplicating its first element a parameter number of time, then displays count of the array and memory usage.

$ php finout.php 65536
count:65536/2968016 bytes

$ php finout.php 65537
count:65537/3230200 bytes
*** glibc detected *** double free or corruption (!prev): 0x0923ce30 ***
Aborted

When count reaches 65537 glibc issues this "post-mortem" message

If instead of $arr[] = $arr[0]; I use $arr[] = 'x'; this message does not come.

Reproduce code:
---------------
<?php
$loop = isset($_SERVER['argv'][1]) ? $_SERVER['argv'][1]+0 : 1000;
error_reporting(E_ALL);
$arr = array ('x') ;
while (--$loop) {
    $arr[] = $arr[0];
}
echo 'count:'.count($arr).'/'.memory_get_usage() . " bytes\n";
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-07-02 21:43 UTC] derick@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

And this is addressed in PHP 5.0 - a backport of the fix will not be made to PHP 4.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Dec 15 23:00:01 2025 UTC