PHP :: Bug #61058 :: array_fill leaks if start index is PHP_INT

Bug #61058	array_fill leaks if start index is PHP_INT_MAX
Submitted:	2012-02-11 19:51 UTC	Modified:	2012-03-02 03:41 UTC
From:	nikic@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2012-02-11 19:51 UTC] nikic@php.net

Description:
------------
<?php array_fill(PHP_INT_MAX, 2, '*')

Leaks:


[Sat Feb 11 20:47:35 2012]  Script:  'reproduceCode4_memoryLeak.php'
/home/nikic/dev/php-src-git/Zend/zend_vm_execute.h(2371) :  Freeing 0xB786F010 
(20 bytes), script=reproduceCode4_memoryLeak.php
[Sat Feb 11 20:47:35 2012]  Script:  'reproduceCode4_memoryLeak.php'
/home/nikic/dev/php-src-git/Zend/zend_vm_execute.h(2374) :  Freeing 0xB7870558 
(1 bytes), script=reproduceCode4_memoryLeak.php
/home/nikic/dev/php-src-git/Zend/zend_variables.c(121) : Actual location 
(location was relayed)
=== Total 2 memory leaks detected ===

Reason:

zval_add_ref is called regardless of whether zend_hash_next_index_insert 
succeeds in 
http://lxr.php.net/opengrok/xref/PHP_TRUNK/ext/standard/array.c#1570.

Patches

fill_up_to_possible_while_preventing_leak_61058 (last revision 2012-02-12 05:43 UTC by carloschilazo at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-02-12 04:42 UTC] laruence@php.net

There are lots of functions/codes doesn't check the return value of 
zend_hash_next_index_insert(and other variants of zend_hash_update_**).

So, IMO, there should be some familar issues there. 

if we only focus on this one, a simple patch will be(but I think it's no needed 
to fix this, since this really a intentional behavior :) thanks ):

Index: ext/standard/array.c
===================================================================
--- ext/standard/array.c	(revision 323122)
+++ ext/standard/array.c	(working copy)
@@ -1564,11 +1564,15 @@
 
 	num--;
 	zval_add_ref(&val);
-	zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, 
sizeof(zval *), NULL);
+	if (zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, 
sizeof(zval *), NULL) == FAILURE) {
+		zval_ptr_dtor(&val);
+	}
 
 	while (num--) {
 		zval_add_ref(&val);
-		zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, 
sizeof(zval *), NULL);
+		if (zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, 
sizeof(zval *), NULL) == FAILURE) {
+			zval_ptr_dtor(&val);
+		}
 	}
 }
 /* }}} */

[2012-02-12 04:56 UTC] laruence@php.net

hmm, I think I should fix this, since this was explored :)

[2012-02-12 04:59 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323160
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-02-12 05:01 UTC] laruence@php.net

Fixed in 5.3 , trunk, will close this after I meger this fix to 5.4.

[2012-02-12 05:01 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2012-02-12 05:32 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323161
Log: Improved fix for #61058, and add test script

[2012-03-02 03:40 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323782
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-03-02 03:41 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2012-03-02 03:41 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2012-04-18 09:45 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcb9768f9e7e1989e94350b880305133b064dfb3
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-04-18 09:46 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3d898cfa3f7d801a47dc18fe665081ed738b70da
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-07-24 23:37 UTC] rasmus@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcb9768f9e7e1989e94350b880305133b064dfb3
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2012-07-24 23:37 UTC] rasmus@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3d898cfa3f7d801a47dc18fe665081ed738b70da
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2013-11-17 09:33 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcb9768f9e7e1989e94350b880305133b064dfb3
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

[2013-11-17 09:33 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3d898cfa3f7d801a47dc18fe665081ed738b70da
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 17:00:01 2025 UTC