php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41430 Fatal error with negative values of maxlen parameter of file_get_contents()
Submitted: 2007-05-18 11:30 UTC Modified: 2007-05-21 09:39 UTC
From: nikhil dot gupta at in dot ibm dot com Assigned:
Status: Closed Package: Filesystem function related
PHP Version: 5CVS-2007-05-18 (snap) OS: LINUX, Win32-xp
Private report: No CVE-ID:
 [2007-05-18 11:30 UTC] nikhil dot gupta at in dot ibm dot com
Description:
------------
Fatal error is generated when the parameter "maxlen" of file_get_contents() is provided with value < -1. This behaviour is on PHP5 as well as on PHP6 on win32-xp and Linux.


Suggested Fix:
file : ext/standard/file.c
  function: file_get_content()
  Code :  This code snipped should be added just after parsing the input parameters.

    if ( maxlen < -1) {
       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maxlen parameter must be greater than or equal to 0");
       RETURN_FALSE;
    }

Explanation for the warning message in the suggested fix:
The maxlen is being checked for < -1 and not < 0 because, maxlen is initialized to  PHP_STREAM_COPY_ALL (i.e -1 ). The -1 mean that entire file will be read. default value -1 of maxlen is not documented in the php doc ,so user getting the warning message saying "Maxlen parameter must be greater than or equal to 0" is valid.


Reproduce code:
---------------
<?php
file_put_contents("datafile.txt", "abcdef");
var_dump(file_get_contents("datafile.txt", FALSE, NULL, 0, -1) );
var_dump(file_get_contents("datafile.txt", FALSE, NULL, 0, -5) );
?>

Expected result:
----------------
FATAL error is not expected. The negative value of maxlen should be handled with proper warning message.

Actual result:
--------------
string(6) "abcdef"
PHP Fatal error:  Out of memory (allocated 262144) (tried to allocate -4 bytes)
in C:\My_PROJECTS\PHP\workdir\binaries\php5\latest\tmp.php on line 4

BACKTRACE:

(gdb) bt
#0  zend_mm_safe_error (heap=0x83ec1e8, format=0x83b751c "Out of memory (allocated %ld) at %s:%d (tried to allocate %ld bytes)", limit=262144,filename=0x83a2a48 "/home/nikhil/workdir/php5/php5.2-200705150430/main/streams/streams.c", lineno=1234, size=4294967292)
at /home/nikhil/workdir/php5/php5.2-20705150430/Zend/zend_alloc.c:1616
#1  0x0828895e in _zend_mm_alloc_int (heap=0x83ec1e8,size=4294967292,
    __zend_filename=0x83a2a48 "/home/nikhil/workdir/php5/php5.2-200705150430/main/streams/streams.c", __zend_lineno=1234,
    __zend_orig_filename=0x838f1c4 "/home/nikhil/workdir/php5/php5.2-200705150430/ext/standard/file.c", __zend_orig_lineno=555)
    at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_alloc.c:1815
#2  0x082899b2 in _emalloc (size=4294967292, __zend_filename=0x83a2a48 "/home/nikhil/workdir/php5/php5.2-200705150430/main/streams/streams.c", __zend_lineno=1234, __zend_orig_filename=0x838f1c4 "/home/nikhil/workdir/php5/php5.2-200705150430/ext/standard/file.c", __zend_orig_lineno=555)at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_alloc.c:2243
#3  0x0826df2b in _php_stream_copy_to_mem (src=0xb7fb30f0, buf=0xbfffd188, maxlen=4294967291, persistent=0, __php_stream_call_depth=0,
    __zend_filename=0x838f1c4 "/home/nikhil/workdir/php5/php5.2-200705150430/ext/standard/file.c", __zend_lineno=555, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /home/nikhil/workdir/php5/php5.2-200705150430/main/streams/streams.c:1234
#4  0x081f1daf in zif_file_get_contents (ht=5, return_value=0xb7fb2b94, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/nikhil/workdir/php5/php5.2-200705150430/ext/standard/file.c:555
#5  0x082c2ae1 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffd380) at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_vm_execute.h:200
#6  0x082c753a in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffd380) at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_vm_execute.h:1681
#7  0x082c26f6 in execute (op_array=0xb7fb1c88) at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend_vm_execute.h:92
#8  0x082a31f2 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/nikhil/workdir/php5/php5.2-200705150430/Zend/zend.c:1134
#9  0x0825bbd9 in php_execute_script (primary_file=0xbffff740) at /home/nikhil/workdir/php5/php5.2-200705150430/main/main.c:1794
#10 0x08308ef9 in main (argc=2, argv=0xbffff814) at /home/nikhil/workdir/php5/php5.2-200705150430/sapi/cli/php_cli.c:1138



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-18 12:07 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-05-21 07:16 UTC] nikhil dot gupta at in dot ibm dot com
Thanks for the fix!

Now I see that for maxlen=-1 also, the warning message is displayed (earlier it behaved same as maxlen=0 without warning message) which according to me is perfectly fine now.
But same question arises for offset parameter values handling also. When offset value is <=-1, it behaves same as offset=0 and there is no warning message displayed for offset to be greater than or equal to zero as displayed for maxlen after the fix for this bug.

I think for negative values (<=-1) of offset parameter also , the warning message like :
"offset must be greater than or equal to zero" should be displayed.
 [2007-05-21 09:01 UTC] tony2001@php.net
>I think for negative values (<=-1) of offset parameter also , the
>warning message like "offset must be greater than or equal to zero"
>should be displayed.

It is displayed for all values < 0 (when the parameter is specified).
 [2007-05-21 09:39 UTC] nikhil dot gupta at in dot ibm dot com
I mean the following:

Testcase:

<?php
file_put_contents("data.txt", "abcdef");
var_dump( file_get_contents("data.txt", FALSE, NULL, -2) );
?>

Actual Output:
string(6) "abcdef"

I was asking whether negative values for offset is acceptable?
I was suggesting to handle the negative offset values with a warning message similar to maxlen rather than output similar to that of offset=0.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 17:01:54 2014 UTC