php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71882 Negative ftruncate() on php://memory exhausts memory
Submitted: 2016-03-22 20:26 UTC Modified: 2016-08-29 15:57 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: miloslav dot hula at gmail dot com Assigned: cmb
Status: Closed Package: Streams related
PHP Version: Irrelevant OS:
Private report: No CVE-ID:
 [2016-03-22 20:26 UTC] miloslav dot hula at gmail dot com
Description:
------------
Calling ftruncate() with negative index on php://memory leads to memory exhaustion and fatal error.

https://3v4l.org/k720s

Test script:
---------------
<?php

$fd = fopen("php://memory", "w+");
ftruncate($fd, -1);

Expected result:
----------------
(nothing)

Actual result:
--------------
Fatal error: Out of memory (allocated 2097152) (tried to allocate 18446744073709551615 bytes) in /in/k720s on line 4

mmap() failed: [22] Invalid argument
mmap() failed: [22] Invalid argument

Process exited with code 255.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-21 21:10 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2016-06-21 21:10 UTC] cmb@php.net
ftruncate() expects size as signed integer[1] and passes it on to
_php_stream_truncate_set_size() which expects an unsigned
integer[2]. Obviously, that doesn't work well for negative
integers.

[1] <https://github.com/php/php-src/blob/php-7.0.7/ext/standard/file.c#L1542>
[2] <https://github.com/php/php-src/blob/php-7.0.7/main/php_streams.h#L430>
 [2016-08-12 13:00 UTC] totszwai at gmail dot com
I am running into similar problem, but differently.
I am currently porting a php5.x extension to php7, the test cases ran fine in php5, and failed with the exact same errors shown here when it tries to allocate custom objects.

mmap() failed: [22] Invalid argument
mmap() failed: [22] Invalid argument
Fatal error: Out of memory (allocated 2097152) (tried to allocate 18446744073709551608 bytes)

This is perhaps, php7 related instead of "PHP version: Irrelevant"?
 [2016-08-29 15:55 UTC] cmb@php.net
@totszwai Yours is another issue, as <https://3v4l.org/k720s>
shows (which also exhibits this behavior under PHP 5), albeit
apparently also caused by a respective signed to unsigned
conversion. Please open another ticket, and supply a test script.
 [2016-08-29 15:57 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2016-08-30 00:30 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=207dab585aadd9f320976a0895734d7d9ca7b862
Log: Fix #71882: Negative ftruncate() on php://memory exhausts memory
 [2016-08-30 00:30 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2016-08-31 12:34 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f215fb874ff30cf9be6322210c58021e75a7c393
Log: Fix #71882 amendment: Negative ftruncate() on php://memory exhausts memory
 [2016-08-31 12:56 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=314a9f8553625eec8f5cfc60360790533d786bc5
Log: Fix #71882 amendment: Negative ftruncate() on php://memory exhausts memory
 [2016-08-31 14:59 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b2d267d9ee034fa6b502901caa9a81bcc2212755
Log: Fix #71882 amendment 2: Negative ftruncate() on php://memory exhausts memory
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b2d267d9ee034fa6b502901caa9a81bcc2212755
Log: Fix #71882 amendment 2: Negative ftruncate() on php://memory exhausts memory
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=314a9f8553625eec8f5cfc60360790533d786bc5
Log: Fix #71882 amendment: Negative ftruncate() on php://memory exhausts memory
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f215fb874ff30cf9be6322210c58021e75a7c393
Log: Fix #71882 amendment: Negative ftruncate() on php://memory exhausts memory
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=207dab585aadd9f320976a0895734d7d9ca7b862
Log: Fix #71882: Negative ftruncate() on php://memory exhausts memory
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jul 25 16:01:42 2017 UTC