php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67724 chained zlib filters silently fail with large amounts of data
Submitted: 2014-07-31 11:59 UTC Modified: 2014-08-05 08:19 UTC
From: sam at hocevar dot net Assigned: mike
Status: Closed Package: Filter related
PHP Version: 5.6.0RC2 OS: Debian GNU/Linux
Private report: No CVE-ID:
 [2014-07-31 11:59 UTC] sam at hocevar dot net
Description:
------------
The `zlib.inflate` filter silently fails in some circumstances.

The attached test case creates highly compressed files, then reads them in chunks of 4 KiB with two chained `zlib.inflate` filters. When the original data is larger than 25 MB, something breaks and I have no idea what or why.


Test script:
---------------
ini_set('display_startup_errors', 1);
ini_set('display_errors', 1);
error_reporting(-1);
 
/* Create a doubly-gzipped file, then read it back using zlib filters
 * and report how many KiB were decompressed. */
function create_and_read($f, $kb)
{
    system("dd count=$kb bs=1024 </dev/zero 2>/dev/null | gzip | gzip >| $f");
 
    $in = fopen($f, 'rb');
    $out = 0;
    $args = array('window' => 30);
    stream_filter_prepend($in, 'zlib.inflate', STREAM_FILTER_READ, $args);
    stream_filter_prepend($in, 'zlib.inflate', STREAM_FILTER_READ, $args);
    while (!feof($in))
        $out += strlen(fread($in, 4096));
 
    unlink($f);
 
    print "in: $kb KiB\tout: " . $out / 1024 . " KiB\n";
}
 
foreach (array(10, 100, 10000, 24800, 24801, 100000) as $kb)
    create_and_read('/tmp/x', $kb);

Expected result:
----------------
in: 10 KiB      out: 10 KiB
in: 100 KiB     out: 100 KiB
in: 10000 KiB   out: 10000 KiB
in: 24800 KiB   out: 24800 KiB
in: 24801 KiB   out: 24801 KiB
in: 100000 KiB  out: 100000 KiB

Actual result:
--------------
in: 10 KiB      out: 10 KiB
in: 100 KiB     out: 100 KiB
in: 10000 KiB   out: 10000 KiB
in: 24800 KiB   out: 24800 KiB
in: 24801 KiB   out: 0 KiB
in: 100000 KiB  out: 0 KiB

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-05 08:15 UTC] mike@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: mike
 [2014-08-05 08:15 UTC] mike@php.net
Working memory allocated is probably too less to hold the huge amount which is going to be inflated.
 [2014-08-05 08:18 UTC] mike@php.net
The filter apparently doesn't even try to reallocate on Z_MEM_ERROR
 [2014-08-05 08:19 UTC] mike@php.net
Works with pecl_http's http.inflate filter.
 [2014-08-05 13:49 UTC] mike@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4ff7f2ee346d641715694209e61704c9e815483
Log: Fixed Bug #67724
 [2014-08-05 13:49 UTC] mike@php.net
-Status: Verified +Status: Closed
 [2014-08-11 07:43 UTC] dmitry@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4ff7f2ee346d641715694209e61704c9e815483
Log: Fixed Bug #67724
 [2014-08-14 00:52 UTC] tyrael@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4ff7f2ee346d641715694209e61704c9e815483
Log: Fixed Bug #67724
 [2014-08-20 20:15 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46ee0e087e5bd6520051cb66d765fc428c51b1a4
Log: Revert &quot;Fixed Bug #67724&quot;
 [2014-08-21 08:28 UTC] jpauli@php.net
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e3acff3d1869cbe701f8a8c1f36f17d510512965
Log: Revert &quot;Fixed Bug #67724&quot; See https://bugs.php.net/bug.php?id=67865
 [2014-08-21 08:47 UTC] jpauli@php.net
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ae4ed8de425a9ed2165f141f6c355d3b3795379b
Log: Revert &quot;Fixed Bug #67724&quot; See https://bugs.php.net/bug.php?id=67865
 [2014-08-27 03:17 UTC] tyrael@php.net
Automatic comment on behalf of tyrael
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d18dd11cbdf2b359fd2fdb9eb8cea94a81cbc866
Log: Revert &quot;Fixed Bug #67724&quot;
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=e4ff7f2ee346d641715694209e61704c9e815483
Log: Fixed Bug #67724
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=e4ff7f2ee346d641715694209e61704c9e815483
Log: Fixed Bug #67724
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 16:01:38 2017 UTC