php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70727 zend_mm_heap corrupted when uncompressed size multiple of 1024
Submitted: 2015-10-16 12:13 UTC Modified: 2016-04-02 13:22 UTC
From: robw at escentual dot com Assigned: remi (profile)
Status: Closed Package: lzf (PECL)
PHP Version: 5.5.30 OS: CentOS 6.7
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: robw at escentual dot com
New email:
PHP Version: OS:

 

 [2015-10-16 12:13 UTC] robw at escentual dot com
Description:
------------
After I upgraded to pecl-lzf 1.6.3 I started seeing a small number of segfaults and "zend_mm_heap corrupted" errors, rolling back to 1.6.2 fixed the problem.

The problem seems to be limited to specific compressed strings (like the one in the example), but I'm not sure what is special about the string to cause the error.

The test script that I have provided actually works fine if the call to lzf_decompress is on the first line, but if there are any other lines before lzf_decompress() then the script fails with a "zend_mm_heap corrupted" error.

Test script:
---------------
<?php

$data = 'F2E6Njp7czo4OiJiYXRjaF9pZCI7YToxNEAUEjExOiJTQ0hFTUFfTkFNRSI7TjsgFAcwOiJUQUJMRaATIBELNDoiZGF0YWZsb3dfYEVgFSA8BUNPTFVNTuAAKOAEZCA3ADXgACEMUE9TSVRJT04iO2k6MSAaCjk6IkRBVEFfVFlQIHYHczozOiJpbnRACQA3IBkFRUZBVUxUgI4gUwNOVUxMQJAEIjtiOjAgLAg2OiJMRU5HVEiAISBlAlNDQUAeQL4gWQVQUkVDSVNgbUARIEEHVU5TSUdORURAQUB+IGQGUFJJTUFSWcARADEgVKAS4AisIEAGSURFTlRJVKAuAH0gLyElBnByb2ZpbGXhVFLgB2cgESDvoXfhA1UAMiAaIPvhGlUgQgI6IjBAByDY4VdbQa/hDVuhmuEDWQAwQVkglANzdG9y4VVW4ARkIKHhDVMAMyAa4QdTQDkDbWFsbOIKriBH4ZNYIvQGYWRhcHRlcuRRAeADYyEO4Q1WADQgGuEHViA4BXZhcmNoYSCcYA3kEwRDwiOvxARkPgIxMjhACSBx5CEMQoIgeKP3RAriKa4ghwVwYXJhbXPhUVTgAmLhEFMANSAa4QdTJbYCdGV45RtV4QZQQRfhaEhE6QhjcmVhdGVkX2EgtOZPpOAHZyARIOvlClEANiAa4QdSIA8IdGltZXN0YW1wQDoiPeIiqOFpVwF9fQ==';

$data = lzf_decompress(base64_decode($data));

var_dump($data);

Expected result:
----------------
a var dump of a serialized php array:

string(2048) "a:6:{s:8:"batch_id";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:8:"batch_id";s:15:"COLUMN_POSITION";i:1;s:9:"DATA_TYPE";s:3:"int";s:7:"DEFAULT";N;s:8:"NULLABLE";b:0;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";b:1;s:7:"PRIMARY";b:1;s:16:"PRIMARY_POSITION";i:1;s:8:"IDENTITY";b:1;}s:10:"profile_id";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:10:"profile_id";s:15:"COLUMN_POSITION";i:2;s:9:"DATA_TYPE";s:3:"int";s:7:"DEFAULT";s:1:"0";s:8:"NULLABLE";b:0;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";b:1;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:8:"store_id";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:8:"store_id";s:15:"COLUMN_POSITION";i:3;s:9:"DATA_TYPE";s:8:"smallint";s:7:"DEFAULT";s:1:"0";s:8:"NULLABLE";b:0;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";b:1;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:7:"adapter";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:7:"adapter";s:15:"COLUMN_POSITION";i:4;s:9:"DATA_TYPE";s:7:"varchar";s:7:"DEFAULT";N;s:8:"NULLABLE";b:1;s:6:"LENGTH";s:3:"128";s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";N;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:6:"params";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:6:"params";s:15:"COLUMN_POSITION";i:5;s:9:"DATA_TYPE";s:4:"text";s:7:"DEFAULT";N;s:8:"NULLABLE";b:1;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";N;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}s:10:"created_at";a:14:{s:11:"SCHEMA_NAME";N;s:10:"TABLE_NAME";s:14:"dataflow_batch";s:11:"COLUMN_NAME";s:10:"created_at";s:15:"COLUMN_POSITION";i:6;s:9:"DATA_TYPE";s:9:"timestamp";s:7:"DEFAULT";N;s:8:"NULLABLE";b:1;s:6:"LENGTH";N;s:5:"SCALE";N;s:9:"PRECISION";N;s:8:"UNSIGNED";N;s:7:"PRIMARY";b:0;s:16:"PRIMARY_POSITION";N;s:8:"IDENTITY";b:0;}}"

Actual result:
--------------
script crashes with "zend_mm_heap corrupted" error

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-02 13:22 UTC] remi@php.net
-Summary: zend_mm_heap corrupted +Summary: zend_mm_heap corrupted when uncompressed size multiple of 1024 -Status: Open +Status: Assigned -Assigned To: +Assigned To: remi
 [2016-04-02 13:23 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=pecl/file_formats/lzf.git;a=commit;h=bad22cce90903a4f176618c5749baa1fa53fd790
Log: Fix Bug #70727 zend_mm_heap corrupted when uncompressed size multiple of 1024
 [2016-04-02 13:23 UTC] remi@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 05:01:29 2024 UTC