php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61058 array_fill leaks if start index is PHP_INT_MAX
Submitted: 2012-02-11 19:51 UTC Modified: 2012-03-02 03:41 UTC
From: nikic@php.net Assigned: laruence
Status: Closed Package: *General Issues
PHP Version: Irrelevant OS:
Private report: No CVE-ID:
 [2012-02-11 19:51 UTC] nikic@php.net
Description:
------------
<?php array_fill(PHP_INT_MAX, 2, '*')

Leaks:


[Sat Feb 11 20:47:35 2012]  Script:  'reproduceCode4_memoryLeak.php'
/home/nikic/dev/php-src-git/Zend/zend_vm_execute.h(2371) :  Freeing 0xB786F010 
(20 bytes), script=reproduceCode4_memoryLeak.php
[Sat Feb 11 20:47:35 2012]  Script:  'reproduceCode4_memoryLeak.php'
/home/nikic/dev/php-src-git/Zend/zend_vm_execute.h(2374) :  Freeing 0xB7870558 
(1 bytes), script=reproduceCode4_memoryLeak.php
/home/nikic/dev/php-src-git/Zend/zend_variables.c(121) : Actual location 
(location was relayed)
=== Total 2 memory leaks detected ===

Reason:

zval_add_ref is called regardless of whether zend_hash_next_index_insert 
succeeds in 
http://lxr.php.net/opengrok/xref/PHP_TRUNK/ext/standard/array.c#1570.


Patches

fill_up_to_possible_while_preventing_leak_61058 (last revision 2012-02-12 05:43 UTC) by carloschilazo at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-12 04:42 UTC] laruence@php.net
There are lots of functions/codes doesn't check the return value of 
zend_hash_next_index_insert(and other variants of zend_hash_update_**).

So, IMO, there should be some familar issues there. 

if we only focus on this one, a simple patch will be(but I think it's no needed 
to fix this, since this really a intentional behavior :) thanks ):

Index: ext/standard/array.c
===================================================================
--- ext/standard/array.c	(revision 323122)
+++ ext/standard/array.c	(working copy)
@@ -1564,11 +1564,15 @@
 
 	num--;
 	zval_add_ref(&val);
-	zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, 
sizeof(zval *), NULL);
+	if (zend_hash_index_update(Z_ARRVAL_P(return_value), start_key, &val, 
sizeof(zval *), NULL) == FAILURE) {
+		zval_ptr_dtor(&val);
+	}
 
 	while (num--) {
 		zval_add_ref(&val);
-		zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, 
sizeof(zval *), NULL);
+		if (zend_hash_next_index_insert(Z_ARRVAL_P(return_value), &val, 
sizeof(zval *), NULL) == FAILURE) {
+			zval_ptr_dtor(&val);
+		}
 	}
 }
 /* }}} */
 [2012-02-12 04:56 UTC] laruence@php.net
hmm, I think I should fix this, since this was explored :)
 [2012-02-12 04:59 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323160
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)
 [2012-02-12 05:01 UTC] laruence@php.net
Fixed in 5.3 , trunk, will close this after I meger this fix to 5.4.
 [2012-02-12 05:01 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2012-02-12 05:32 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323161
Log: Improved fix for #61058, and add test script
 [2012-03-02 03:40 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323782
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)
 [2012-03-02 03:41 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2012-03-02 03:41 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:45 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcb9768f9e7e1989e94350b880305133b064dfb3
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3d898cfa3f7d801a47dc18fe665081ed738b70da
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcb9768f9e7e1989e94350b880305133b064dfb3
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3d898cfa3f7d801a47dc18fe665081ed738b70da
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bcb9768f9e7e1989e94350b880305133b064dfb3
Log: MFH: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3d898cfa3f7d801a47dc18fe665081ed738b70da
Log: Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 19:02:15 2014 UTC