php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68365 zend_mm_heap corrupted (in zend_hash_copy)
Submitted: 2014-11-06 14:59 UTC Modified: 2014-11-07 07:00 UTC
From: remi@php.net Assigned: dmitry
Status: Closed Package: *General Issues
PHP Version: 5.5.18 OS: Fedora 20
Private report: No CVE-ID:
 [2014-11-06 14:59 UTC] remi@php.net
Description:
------------
In some (hard to reproduce) run conditions, if memory limit is triggered during zend_hash_copy, zend_mm_heap can be corrupted (and can segfault during shutdown).

I think the problem occurs in _zend_hash_index_update_or_next_insert, on
   p  = (Bucket *) pemalloc_rel(sizeof(Bucket), ht->persistent);

5.6 also affected


Test script:
---------------
<?php
error_reporting(E_ALL);
set_time_limit(5);
ini_set('memory_limit', '256M');
$arrayLarge = array_fill(0, 1010911, '*');
echo "Running 5/50 (get_defined_vars).\n";
$array_get_defined_vars_5 = get_defined_vars();
echo "Running 14/50 (array_merge).\n";
$array_array_merge_14 = array_merge($arrayLarge, $array_get_defined_vars_5);
echo "Running 30/50 (exec).\n";
$string_exec_30 = exec(false, $arrayLarge);


Expected result:
----------------
Running 5/50 (get_defined_vars).
Running 14/50 (array_merge).
Running 30/50 (exec).
PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to allocate 72 bytes) in /home/rcollet/work/0d22753b8b97c56a401d760b9580a08b.php on line 11
zend_mm_heap corrupted


Actual result:
--------------
Running 5/50 (get_defined_vars).
Running 14/50 (array_merge).
Running 30/50 (exec).
PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to allocate 72 bytes) in /home/rcollet/work/0d22753b8b97c56a401d760b9580a08b.php on line 11
zend_mm_heap corrupted


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-11-07 07:00 UTC] dmitry@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dmitry
 [2014-11-07 07:00 UTC] dmitry@php.net
This particular problem must be fixed in PHP-5.4 and above.
However, this was not a general fix, and the similar problem may be triggered from many other places.
 [2014-11-07 07:40 UTC] remi@php.net
Partial fix for bug #68365 (zend_mm_heap corrupted after memory overflow in zend_hash_copy)

http://git.php.net/?p=php-src.git;a=commitdiff;h=9dfa843a386b65b18353c510f032e322004d0bb7
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 23 05:01:47 2017 UTC