|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61461 Large HTTP request Content-Length header values result in failed malloc() call
Submitted: 2012-03-21 00:53 UTC Modified: 2012-03-21 01:16 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: contact at kaankivilcim dot com Assigned: iliaa (profile)
Status: Closed Package: Built-in web server
PHP Version: 5.4.0 OS: All
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: contact at kaankivilcim dot com
New email:
PHP Version: OS:


 [2012-03-21 00:53 UTC] contact at kaankivilcim dot com
A denial of service condition can be triggered by HTTP requests that are sent to the built-in PHP web server with a large Content-Length header value.

The value of the Content-Length header is passed directly to a pemalloc() call in sapi/cli/php_cli_server.c on line 1538. The inline function defined within Zend/zend_alloc.h for malloc() will fail, and will terminate the process with the error message "Out of memory".

1534 	static int php_cli_server_client_read_request_on_body(php_http_parser *parser, const char *at, size_t length)
1535 	{
1536 	php_cli_server_client *client = parser->data;
1537 	if (!client->request.content) {
1538 	client->request.content = pemalloc(parser->content_length, 1);
1539 	client->request.content_len = 0;
1540 	}
1541 	memmove(client->request.content + client->request.content_len, at, length);
1542 	client->request.content_len += length;
1543 	return 0;
1544 	}

Setting a value (e.g. 2^31 - 10) for the Content-Length header close to the upper limit of an int for the platform (e.g. 32-bit) in use will trigger the condition.

Test script:
An example HTTP request that will trigger the bug is shown below.

Content-Type: application/x-www-form-urlencoded
Content-Length: 2147483648


Expected result:
The expected output would be a meaningful error message.

Invalid request (Requested Content-Length is larger the allowed limit of XYZ)

Actual result:
The output observed for the PHP process is shown below.

PHP 5.4.0 Development Server started at Tue Mar 20 19:41:45 2012
Listening on
Document root is /tmp
Press Ctrl-C to quit.
Out of memory


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-21 01:16 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2012-03-21 01:16 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: iliaa
 [2014-10-07 23:28 UTC]
Automatic comment on behalf of iliaal
Log: Fixed bug #61461 (missing checks around malloc() calls).
 [2014-10-07 23:39 UTC]
Automatic comment on behalf of iliaal
Log: Fixed bug #61461 (missing checks around malloc() calls).
 [2016-07-18 06:23 UTC] 2790908629 at qq dot com
PHP Content - Length Header Remote denial of service attacks
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Sep 25 09:03:37 2021 UTC