php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67917 Using GMP objects with overloaded operators can cause memory exhaustion.
Submitted: 2014-08-27 15:32 UTC Modified: -
From: leight+phpbugs at gmail dot com Assigned:
Status: Closed Package: GNU MP related
PHP Version: 5.6Git-2014-08-27 (Git) OS: Linux 3.14
Private report: No CVE-ID:
 [2014-08-27 15:32 UTC] leight+phpbugs at gmail dot com
Description:
------------
PHP version was from a pull of the 5.6 branch this morning.

sapi/cli/php -v
PHP 5.6.1-dev (cli) (built: Aug 27 2014 11:35:34) (DEBUG)

Configured with --disable-all --enable-debug --enable-bcmath and --with-gmp 

I believe there may be a refcount issue with either the shift-left-assign or or-assign operators. I can reliably exhaust available memory with a function using these operators.

In the provided script import() works as intended and does not use the assign-ops, whereas import2() uses assign-ops and causes memory exhaustion.

Test script:
---------------
function import($bin)
{
    $c = unpack('C*', $bin);

    $i = count($c);
    $ret = gmp_init($c[$i--]);
    while ($i > 0) {
        $ret = ($ret << 8) | $c[$i--];
    }

    return $ret;
}

function import2($bin)
{
    $c = unpack('C*', $bin);

    $i = count($c);
    $ret = gmp_init($c[$i--]);
    while ($i > 0) {
        $ret <<= 8;
        $ret |= $c[$i--];
    }

    return $ret;
}

print "import 1 x 10000\n";
for ($i = 0; $i < 10000; $i++) {
    import(str_repeat('a', 100));
}

print "import 2 x 10000\n";
for ($i = 0; $i < 10000; $i++) {
    import2(str_repeat('a', 100));
}


Expected result:
----------------
import 1 x 10000
import 2 x 10000

Process finished with exit code 0

Actual result:
--------------
import 1 x 10000
import 2 x 10000

Fatal error: Allowed memory size of 134217728 bytes exhausted at gmp.c:384 (tried to allocate 48 bytes) in test.php on line 24

Process finished with exit code 255


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-27 20:17 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fc5f93166371d275b8982e14e0868b776c039d25
Log: Fix bug #67917 (gmp compound assignment operator leak)
 [2014-08-27 20:17 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2014-08-27 20:24 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fc5f93166371d275b8982e14e0868b776c039d25
Log: Fix bug #67917 (gmp compound assignment operator leak)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat May 27 04:01:37 2017 UTC