PHP :: Bug #70727 :: zend_mm_heap corrupted when uncompressed size multiple of 1024

Bug #70727	zend_mm_heap corrupted when uncompressed size multiple of 1024
Submitted:	2015-10-16 12:13 UTC	Modified:	2016-04-02 13:22 UTC
From:	robw at escentual dot com	Assigned:	remi (profile)
Status:	Closed	Package:	lzf (PECL)
PHP Version:	5.5.30	OS:	CentOS 6.7
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-10-16 12:13 UTC] robw at escentual dot com

Description:
------------
After I upgraded to pecl-lzf 1.6.3 I started seeing a small number of segfaults and "zend_mm_heap corrupted" errors, rolling back to 1.6.2 fixed the problem.

The problem seems to be limited to specific compressed strings (like the one in the example), but I'm not sure what is special about the string to cause the error.

The test script that I have provided actually works fine if the call to lzf_decompress is on the first line, but if there are any other lines before lzf_decompress() then the script fails with a "zend_mm_heap corrupted" error.

Test script:
---------------
<?php

$data = 'F2E6Njp7czo4OiJiYXRjaF9pZCI7YToxNEAUEjExOiJTQ0hFTUFfTkFNRSI7TjsgFAcwOiJUQUJMRaATIBELNDoiZGF0YWZsb3dfYEVgFSA8BUNPTFVNTuAAKOAEZCA3ADXgACEMUE9TSVRJT04iO2k6MSAaCjk6IkRBVEFfVFlQIHYHczozOiJpbnRACQA3IBkFRUZBVUxUgI4gUwNOVUxMQJAEIjtiOjAgLAg2OiJMRU5HVEiAISBlAlNDQUAeQL4gWQVQUkVDSVNgbUARIEEHVU5TSUdORURAQUB+IGQGUFJJTUFSWcARADEgVKAS4AisIEAGSURFTlRJVKAuAH0gLyElBnByb2ZpbGXhVFLgB2cgESDvoXfhA1UAMiAaIPvhGlUgQgI6IjBAByDY4VdbQa/hDVuhmuEDWQAwQVkglANzdG9y4VVW4ARkIKHhDVMAMyAa4QdTQDkDbWFsbOIKriBH4ZNYIvQGYWRhcHRlcuRRAeADYyEO4Q1WADQgGuEHViA4BXZhcmNoYSCcYA3kEwRDwiOvxARkPgIxMjhACSBx5CEMQoIgeKP3RAriKa4ghwVwYXJhbXPhUVTgAmLhEFMANSAa4QdTJbYCdGV45RtV4QZQQRfhaEhE6QhjcmVhdGVkX2EgtOZPpOAHZyARIOvlClEANiAa4QdSIA8IdGltZXN0YW1wQDoiPeIiqOFpVwF9fQ==';

$data = lzf_decompress(base64_decode($data));

var_dump($data);

Expected result:
----------------
a var dump of a serialized php array:

string(2048) "a:6:{s:8:"batch_id";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:8:"batch_id";s:15:"COLUMN_POSITION";i:1;s:9:"DATA_TYPE";s:3:"int";s:7:"DEFAULT";N;s:8:"NULLABLE";b:0;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";b:1;s:7:"PRIMARY";b:1;s:16:"PRIMARY_POSITION";i:1;s:8:"IDENTITY";b:1;}s:10:"profile_id";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:10:"profile_id";s:15:"COLUMN_POSITION";i:2;s:9:"DATA_TYPE";s:3:"int";s:7:"DEFAULT";s:1:"0";s:8:"NULLABLE";b:0;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";b:1;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:8:"store_id";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:8:"store_id";s:15:"COLUMN_POSITION";i:3;s:9:"DATA_TYPE";s:8:"smallint";s:7:"DEFAULT";s:1:"0";s:8:"NULLABLE";b:0;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";b:1;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:7:"adapter";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:7:"adapter";s:15:"COLUMN_POSITION";i:4;s:9:"DATA_TYPE";s:7:"varchar";s:7:"DEFAULT";N;s:8:"NULLABLE";b:1;s:6:"LENGTH";s:3:"128";s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";N;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:6:"params";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:6:"params";s:15:"COLUMN_POSITION";i:5;s:9:"DATA_TYPE";s:4:"text";s:7:"DEFAULT";N;s:8:"NULLABLE";b:1;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";N;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:10:"created_at";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:10:"created_at";s:15:"COLUMN_POSITION";i:6;s:9:"DATA_TYPE";s:9:"timestamp";s:7:"DEFAULT";N;s:8:"NULLABLE";b:1;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";N;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}}"

Actual result:
--------------
script crashes with "zend_mm_heap corrupted" error

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-04-02 13:22 UTC] remi@php.net

-Summary: zend_mm_heap corrupted +Summary: zend_mm_heap corrupted when uncompressed size multiple of 1024 -Status: Open +Status: Assigned -Assigned To: +Assigned To: remi

[2016-04-02 13:23 UTC] remi@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=pecl/file_formats/lzf.git;a=commit;h=bad22cce90903a4f176618c5749baa1fa53fd790
Log: Fix Bug #70727 zend_mm_heap corrupted when uncompressed size multiple of 1024

[2016-04-02 13:23 UTC] remi@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Dec 30 14:01:28 2024 UTC