php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70727 zend_mm_heap corrupted when uncompressed size multiple of 1024
Submitted: 2015-10-16 12:13 UTC Modified: 2016-04-02 13:22 UTC
From: robw at escentual dot com Assigned: remi (profile)
Status: Closed Package: lzf (PECL)
PHP Version: 5.5.30 OS: CentOS 6.7
Private report: No CVE-ID: None
 [2015-10-16 12:13 UTC] robw at escentual dot com
Description:
------------
After I upgraded to pecl-lzf 1.6.3 I started seeing a small number of segfaults and "zend_mm_heap corrupted" errors, rolling back to 1.6.2 fixed the problem.

The problem seems to be limited to specific compressed strings (like the one in the example), but I'm not sure what is special about the string to cause the error.

The test script that I have provided actually works fine if the call to lzf_decompress is on the first line, but if there are any other lines before lzf_decompress() then the script fails with a "zend_mm_heap corrupted" error.

Test script:
---------------
<?php

$data = 'F2E6Njp7czo4OiJiYXRjaF9pZCI7YToxNEAUEjExOiJTQ0hFTUFfTkFNRSI7TjsgFAcwOiJUQUJMRaATIBELNDoiZGF0YWZsb3dfYEVgFSA8BUNPTFVNTuAAKOAEZCA3ADXgACEMUE9TSVRJT04iO2k6MSAaCjk6IkRBVEFfVFlQIHYHczozOiJpbnRACQA3IBkFRUZBVUxUgI4gUwNOVUxMQJAEIjtiOjAgLAg2OiJMRU5HVEiAISBlAlNDQUAeQL4gWQVQUkVDSVNgbUARIEEHVU5TSUdORURAQUB+IGQGUFJJTUFSWcARADEgVKAS4AisIEAGSURFTlRJVKAuAH0gLyElBnByb2ZpbGXhVFLgB2cgESDvoXfhA1UAMiAaIPvhGlUgQgI6IjBAByDY4VdbQa/hDVuhmuEDWQAwQVkglANzdG9y4VVW4ARkIKHhDVMAMyAa4QdTQDkDbWFsbOIKriBH4ZNYIvQGYWRhcHRlcuRRAeADYyEO4Q1WADQgGuEHViA4BXZhcmNoYSCcYA3kEwRDwiOvxARkPgIxMjhACSBx5CEMQoIgeKP3RAriKa4ghwVwYXJhbXPhUVTgAmLhEFMANSAa4QdTJbYCdGV45RtV4QZQQRfhaEhE6QhjcmVhdGVkX2EgtOZPpOAHZyARIOvlClEANiAa4QdSIA8IdGltZXN0YW1wQDoiPeIiqOFpVwF9fQ==';

$data = lzf_decompress(base64_decode($data));

var_dump($data);

Expected result:
----------------
a var dump of a serialized php array:

string(2048) "a:6:{s:8:"batch_id";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:8:"batch_id";s:15:"COLUMN_POSITION";i:1;s:9:"DATA_TYPE";s:3:"int";s:7:"DEFAULT";N;s:8:"NULLABLE";b:0;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";b:1;s:7:"PRIMARY";b:1;s:16:"PRIMARY_POSITION";i:1;s:8:"IDENTITY";b:1;}s:10:"profile_id";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:10:"profile_id";s:15:"COLUMN_POSITION";i:2;s:9:"DATA_TYPE";s:3:"int";s:7:"DEFAULT";s:1:"0";s:8:"NULLABLE";b:0;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";b:1;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:8:"store_id";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:8:"store_id";s:15:"COLUMN_POSITION";i:3;s:9:"DATA_TYPE";s:8:"smallint";s:7:"DEFAULT";s:1:"0";s:8:"NULLABLE";b:0;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";b:1;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:7:"adapter";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:7:"adapter";s:15:"COLUMN_POSITION";i:4;s:9:"DATA_TYPE";s:7:"varchar";s:7:"DEFAULT";N;s:8:"NULLABLE";b:1;s:6:"LENGTH";s:3:"128";s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";N;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:6:"params";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:6:"params";s:15:"COLUMN_POSITION";i:5;s:9:"DATA_TYPE";s:4:"text";s:7:"DEFAULT";N;s:8:"NULLABLE";b:1;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";N;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:10:"created_at";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:10:"created_at";s:15:"COLUMN_POSITION";i:6;s:9:"DATA_TYPE";s:9:"timestamp";s:7:"DEFAULT";N;s:8:"NULLABLE";b:1;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";N;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}}"

Actual result:
--------------
script crashes with "zend_mm_heap corrupted" error

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-02 13:22 UTC] remi@php.net
-Summary: zend_mm_heap corrupted +Summary: zend_mm_heap corrupted when uncompressed size multiple of 1024 -Status: Open +Status: Assigned -Assigned To: +Assigned To: remi
 [2016-04-02 13:23 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=pecl/file_formats/lzf.git;a=commit;h=bad22cce90903a4f176618c5749baa1fa53fd790
Log: Fix Bug #70727 zend_mm_heap corrupted when uncompressed size multiple of 1024
 [2016-04-02 13:23 UTC] remi@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Nov 17 00:01:34 2019 UTC