|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40181 double free problem after 64k iterations
Submitted: 2007-01-20 15:40 UTC Modified: 2007-01-21 00:12 UTC
From: giovanni at giacobbi dot net Assigned:
Status: Wont fix Package: Reproducible crash
PHP Version: 4.4.4 OS: linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: giovanni at giacobbi dot net
New email:
PHP Version: OS:


 [2007-01-20 15:40 UTC] giovanni at giacobbi dot net
The following code snippet produces a double free error. I don't think my glibc/linux versions matter, anyway I can provide them on request.

An interesting thing is that the bug manifests itself only at the 65536th iteration. Removing any reference to the $index variable doesn't reproduce the bug any longer.

Reproduce code:
function m($index) {

  global $x;
  return $x[$index];

$i = 0;
$x = array("x");
while (m($i)) {
  $p[] = m($i);

Actual result:
*** glibc detected *** php: double free or corruption (fasttop): 0x09d89a08 ***


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-20 19:35 UTC]
You have to upgrade to PHP5 in order to change this 65536 limit to 2147483647.
Though, I would not expect endless loops to "work" anyway.
 [2007-01-21 00:12 UTC] giovanni at giacobbi dot net
I'd like to know what causes this weird behaviour. I don't want to crush on such things if manipulating long arrays anyway.

Please note that taking away "is_int($index)" from my code snippet lets the endless loop keep going forever (well, at least until you have enough RAM).

Thank you.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Apr 18 12:01:28 2024 UTC