PHP :: Bug #59715 :: consume leaks memory and corrupts heap

Bug #59715	consume leaks memory and corrupts heap
Submitted:	2011-04-14 15:24 UTC	Modified:	2011-04-14 16:25 UTC
From:	martin at ringehahn dot de	Assigned:
Status:	Closed	Package:	amqp (PECL)
PHP Version:	Irrelevant	OS:	FreeBSD 8.2-RELEASE
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	martin at ringehahn dot de
New email:
PHP Version:		OS:

New Comment:

[2011-04-14 15:24 UTC] martin at ringehahn dot de

Description:
------------
When running a loop w/ the consume method, the amqp extension 
leaks memory.

Reproduce code:
---------------
while (true) {
  $msgs = $q->consume(array('min'=>1, 'max'=>1));
}

Expected result:
----------------
The size of the php process should hover around some steady 
value.

Actual result:
--------------
The php process continuously grows and grows. When running 
with the suhosin extension, the php process exits with 
return code 1 and leaves
"ALERT - canary mismatch on efree() - heap overflow detected 
at 0x8d3d444"
in syslog.

the following patch fixes these issues for me:

--- amqp_queue.c.1      2011-04-14 15:22:39.814585000 -0400
+++ amqp_queue.c        2011-04-14 15:21:01.170504000 -0400
@@ -582,7 +582,7 @@
        array_init(return_value);
        char *buf = NULL;
 
-       buf = (char*) malloc(FRAME_MAX);
+       buf = (char*) emalloc(FRAME_MAX);
        if (!buf) {
                
zend_throw_exception(zend_exception_get_default(TSRMLS_C), 
"Out of memory (malloc)" ,0 TSRMLS_CC);       
        }
@@ -730,9 +730,9 @@
                        int count_buf = body_target / 
FRAME_MAX +1;
                        int resize = count_buf * FRAME_MAX;
                        buf_max = resize;
-                       pbuf = realloc(buf, resize);
+                       pbuf = erealloc(buf, resize);
                        if (!pbuf) {
-                               free(buf);
+                               efree(buf);
                                
zend_throw_exception(zend_exception_get_default(TSRMLS_C), 
"The memory is out (realloc)", 0 TSRMLS_CC);
                        }
                        buf = pbuf;

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-04-14 16:25 UTC] pdezwart at gmail dot com

This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

Thank you for the bug report.

Fixed in trunk at revision 310219.
There are a couple other bugs that need to be addressed before we tag a new release.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 21:01:28 2024 UTC