php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73928 __zend_realloc doesn't respect len=0
Submitted: 2017-01-13 23:53 UTC Modified: 2017-01-14 18:00 UTC
From: dev at pp3345 dot net Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.1.0 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dev at pp3345 dot net
New email:
PHP Version: OS:

 

 [2017-01-13 23:53 UTC] dev at pp3345 dot net
Description:
------------
According to `man realloc`, realloc() may return NULL if a valid pointer and size=0 is passed, e. g. realloc(<ptr>, 0) is the same as free(<ptr>). However, __zend_realloc always interprets NULL as OOM and therefore bails out when trying to reallocate a pointer to size 0. For example, mysqlnd sometimes calls erealloc(<ptr>, 0), which will crash PHP when running with USE_ZEND_ALLOC=0.

From zend_alloc.c, lines 2834 - 2841:
ZEND_API void * __zend_realloc(void *p, size_t len)
{
	p = realloc(p, len);
	if (EXPECTED(p)) {
		return p;
	}
	zend_out_of_memory();
}

It should probably be something like if (EXPECTED(p) || !len).


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-14 18:00 UTC] cmb@php.net
This appears to be related to bug #73370 (might even be a duplicate).
 [2017-01-14 18:29 UTC] dev at pp3345 dot net
Oh, didn't see that one, sorry for that. Actually, the behavior I described in my initial post is compliant to C89 (according to http://port70.net/~nsz/c/c89/c89-draft.html#4.10.3.4) and C99. It seems that realloc(<ptr>, 0) is undefined/implementation-dependent as of C11. Since PHP is written in C89 and there obviously is code in PHP that actually depends on this behavior, I think it would be the best option to comply with C89 and interpret realloc(<ptr>, 0) as free(<ptr>), thus adding checks for len=0.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC