php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59195 Error in MemoryManagement with long job names
Submitted: 2010-05-07 12:17 UTC Modified: 2011-05-15 14:16 UTC
From: mail+pecl at rodneyrehm dot de Assigned:
Status: Wont fix Package: gearman (PECL)
PHP Version: 5.2.13 OS: Gentoo Linux 2.6.31-gentoo-r10
Private report: No CVE-ID: None
 [2010-05-07 12:17 UTC] mail+pecl at rodneyrehm dot de
Description:
------------
Too long job names result in memory de/allocation errors (GearmanClient). 

This job name works fine:
$validJobName = 'abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcde'; // 77 characters

This job name results in memory management errors:
$brokenJobName = 'abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdef'; // 78 characters

The error occurs in PHP 5.3.13 on gentoo linux and in PHP 5.3.2 on Mac OS X.

Reproduce code:
---------------
do anything, only the job name matters!

Expected result:
----------------
A proper Error message / exception would be nice...

Actual result:
--------------
##########################
## Mac OS X / PHP 5.3.2:
##########################
php(27586) malloc: *** error for object 0x1028ec1d0: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Abort trap

##########################
## gentoo / PHP 5.2.13:
##########################
*** glibc detected *** php: double free or corruption (fasttop): 0x0000000000d59b70 ***
======= Backtrace: =========
/lib/libc.so.6[0x7eff3f14e808]
/lib/libc.so.6(cfree+0x6c)[0x7eff3f15324c]
/usr/lib/libgearman.so.4[0x7eff3e24bb45]
/usr/lib/libgearman.so.4(gearman_task_free+0x75)[0x7eff3e248d17]
/usr/lib/libgearman.so.4[0x7eff3e247f58]
/usr/lib/libgearman.so.4(gearman_client_do_low_background+0x62)[0x7eff3e247fc7]
/usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/gearman.so(zif_gearman_client_do_low_background+0xba)[0x7eff3e4613ec]
/usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so[0x7eff3cd2651d]
php[0x6121e8]
php(execute+0x153)[0x5ff6ce]
/usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so[0x7eff3cd26980]
php(zend_execute_scripts+0x135)[0x5e09ed]
php(php_execute_script+0x1dd)[0x5a3838]
php(main+0xe19)[0x644516]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7eff3f0f9a26]
php[0x452799]
======= Memory map: ========
00400000-008e4000 r-xp 00000000 09:03 4057126                            /usr/lib64/php5/bin/php
00ae3000-00ae4000 r--p 004e3000 09:03 4057126                            /usr/lib64/php5/bin/php
00ae4000-00b1c000 rw-p 004e4000 09:03 4057126                            /usr/lib64/php5/bin/php
00b1c000-01306000 rw-p 00000000 00:00 0                                  [heap]
7eff34000000-7eff34021000 rw-p 00000000 00:00 0 
7eff34021000-7eff38000000 ---p 00000000 00:00 0 
7eff3a5c8000-7eff3a5dd000 r-xp 00000000 09:03 3175226                    /lib64/libgcc_s.so.1
7eff3a5dd000-7eff3a7dc000 ---p 00015000 09:03 3175226                    /lib64/libgcc_s.so.1
7eff3a7dc000-7eff3a7dd000 r--p 00014000 09:03 3175226                    /lib64/libgcc_s.so.1
7eff3a7dd000-7eff3a7de000 rw-p 00015000 09:03 3175226                    /lib64/libgcc_s.so.1
7eff3a7de000-7eff3ab03000 r--p 00000000 09:03 1158054                    /usr/lib64/locale/locale-archive
7eff3ab03000-7eff3ab0e000 r-xp 00000000 09:03 3299520                    /lib64/libnss_files-2.10.1.so
7eff3ab0e000-7eff3ad0d000 ---p 0000b000 09:03 3299520                    /lib64/libnss_files-2.10.1.so
7eff3ad0d000-7eff3ad0e000 r--p 0000a000 09:03 3299520                    /lib64/libnss_files-2.10.1.so
7eff3ad0e000-7eff3ad0f000 rw-p 0000b000 09:03 3299520                    /lib64/libnss_files-2.10.1.so
7eff3ad0f000-7eff3cd0f000 rw-s 00000000 00:07 1441794                    /SYSV00000000 (deleted)
7eff3cd0f000-7eff3cd31000 r-xp 00000000 09:03 3364765                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so
7eff3cd31000-7eff3cf31000 ---p 00022000 09:03 3364765                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so
7eff3cf31000-7eff3cf32000 r--p 00022000 09:03 3364765                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so
7eff3cf32000-7eff3cf37000 rw-p 00023000 09:03 3364765                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so
7eff3cf37000-7eff3cf39000 rw-p 00000000 00:00 0 
7eff3cf39000-7eff3cf4a000 r-xp 00000000 09:03 3210080                    /usr/lib64/libmemcached.so.4.0.0
7eff3cf4a000-7eff3d149000 ---p 00011000 09:03 3210080                    /usr/lib64/libmemcached.so.4.0.0
7eff3d149000-7eff3d14a000 r--p 00010000 09:03 3210080                    /usr/lib64/libmemcached.so.4.0.0
7eff3d14a000-7eff3d14b000 rw-p 00011000 09:03 3210080                    /usr/lib64/libmemcached.so.4.0.0
7eff3d14b000-7eff3d157000 r-xp 00000000 09:03 3242630                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/memcached.so
7eff3d157000-7eff3d357000 ---p 0000c000 09:03 3242630                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/memcached.so
7eff3d357000-7eff3d358000 r--p 0000c000 09:03 3242630                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/memcached.so
7eff3d358000-7eff3d35a000 rw-p 0000d000 09:03 3242630                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/memcached.so
7eff3d35a000-7eff3d367000 r-xp 00000000 09:03 3321794                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/memcache.so
7eff3d367000-7eff3d566000 ---p 0000d000 09:03 3321794                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/memcache.so
7eff3d566000-7eff3d567000 r--p 0000c000 09:03 3321794                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/memcache.so
7eff3d567000-7eff3d568000 rw-p 0000d000 09:03 3321794                    /usr/lib64/php5/lib/php/extensions/no-debug-non-zts-20060613/memcache.so
7eff3d568000-7eff3d570000 r-xp 00000000 09:03 3108190                    /usr/lib64/libltdl.so.7.2.1
7eff3d570000-7eff3d770000 ---p 00008000 09:03 3108190                    /usr/lib64/libltdl.so.7.2.1
7eff3d770000-7eff3d771000 r--p 00008000 09:03 3108190                    /usr/lib64/libltdl.so.7.2.1
7eff3d771000-7eff3d772000 rw-p 00009000 09:03 3108190                    /usr/lib64/libltdl.so.7.2.1
7eff3d772000-7eff3d8d9000 r-xp 00000000 09:03 3421059                    /usr/lib64/libMagickCore.so.3.0.0
7eff3d8d9000-7eff3dad9000 ---p 00167000 09:03 3421059                    /usr/lib64/libMagickCore.so.3.0.0
7eff3dad9000-7eff3dae9000 r--p 00167000 09:03 3421059                    /usr/lib64/libMagickCore.so.3.0.0
7eff3dae9000-7eff3daf0000 rw-p 00177000 09:03 3421059                    /usr/lib64/libMagickCore.so.3.0.0
7eff3daf0000-7eff3dbd1000 r-xp 00000000 09:03 3420855                    /usr/lib64/libMagickWand.so.3.0.0
7eff3dbd1000-7eff3ddd0000 ---p 000e1000 09:03 3420855                    /usr/lib64/libMagickWand.so.3.0.0Aborted


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-15 14:16 UTC] hradtke@php.net
This is an issue with libgearman.  The maximum size of the arguments contained in the packet going over the line is 128.  This must contain 37 bytes for the unique id and some space for some other information.  This essentially means that the maximum length for a job name is 77 characters.

If you think this is a serious issue, you can report it as a bug at http://gearman.org.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC