php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59715 consume leaks memory and corrupts heap
Submitted: 2011-04-14 15:24 UTC Modified: 2011-04-14 16:25 UTC
From: martin at ringehahn dot de Assigned:
Status: Closed Package: amqp (PECL)
PHP Version: Irrelevant OS: FreeBSD 8.2-RELEASE
Private report: No CVE-ID: None
 [2011-04-14 15:24 UTC] martin at ringehahn dot de
Description:
------------
When running a loop w/ the consume method, the amqp extension 
leaks memory.

Reproduce code:
---------------
while (true) {
  $msgs = $q->consume(array('min'=>1, 'max'=>1));
}

Expected result:
----------------
The size of the php process should hover around some steady 
value.

Actual result:
--------------
The php process continuously grows and grows. When running 
with the suhosin extension, the php process exits with 
return code 1 and leaves
"ALERT - canary mismatch on efree() - heap overflow detected 
at 0x8d3d444"
in syslog.

the following patch fixes these issues for me:

--- amqp_queue.c.1      2011-04-14 15:22:39.814585000 -0400
+++ amqp_queue.c        2011-04-14 15:21:01.170504000 -0400
@@ -582,7 +582,7 @@
        array_init(return_value);
        char *buf = NULL;
 
-       buf = (char*) malloc(FRAME_MAX);
+       buf = (char*) emalloc(FRAME_MAX);
        if (!buf) {
                
zend_throw_exception(zend_exception_get_default(TSRMLS_C), 
"Out of memory (malloc)" ,0 TSRMLS_CC);       
        }
@@ -730,9 +730,9 @@
                        int count_buf = body_target / 
FRAME_MAX +1;
                        int resize = count_buf * FRAME_MAX;
                        buf_max = resize;
-                       pbuf = realloc(buf, resize);
+                       pbuf = erealloc(buf, resize);
                        if (!pbuf) {
-                               free(buf);
+                               efree(buf);
                                
zend_throw_exception(zend_exception_get_default(TSRMLS_C), 
"The memory is out (realloc)", 0 TSRMLS_CC);
                        }
                        buf = pbuf; 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-14 16:25 UTC] pdezwart at gmail dot com
This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

Thank you for the bug report.

Fixed in trunk at revision 310219.
There are a couple other bugs that need to be addressed before we tag a new release.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Apr 16 02:01:23 2021 UTC