|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73928 __zend_realloc doesn't respect len=0
Submitted: 2017-01-13 23:53 UTC Modified: 2020-10-19 16:01 UTC
From: dev at pp3345 dot net Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 7.1.0 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: dev at pp3345 dot net
New email:
PHP Version: OS:


 [2017-01-13 23:53 UTC] dev at pp3345 dot net
According to `man realloc`, realloc() may return NULL if a valid pointer and size=0 is passed, e. g. realloc(<ptr>, 0) is the same as free(<ptr>). However, __zend_realloc always interprets NULL as OOM and therefore bails out when trying to reallocate a pointer to size 0. For example, mysqlnd sometimes calls erealloc(<ptr>, 0), which will crash PHP when running with USE_ZEND_ALLOC=0.

From zend_alloc.c, lines 2834 - 2841:
ZEND_API void * __zend_realloc(void *p, size_t len)
	p = realloc(p, len);
	if (EXPECTED(p)) {
		return p;

It should probably be something like if (EXPECTED(p) || !len).


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-14 18:00 UTC]
This appears to be related to bug #73370 (might even be a duplicate).
 [2017-01-14 18:29 UTC] dev at pp3345 dot net
Oh, didn't see that one, sorry for that. Actually, the behavior I described in my initial post is compliant to C89 (according to and C99. It seems that realloc(<ptr>, 0) is undefined/implementation-dependent as of C11. Since PHP is written in C89 and there obviously is code in PHP that actually depends on this behavior, I think it would be the best option to comply with C89 and interpret realloc(<ptr>, 0) as free(<ptr>), thus adding checks for len=0.
 [2020-10-19 16:01 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-10-19 16:01 UTC]
Well, actually this is duplicate of bug #73370.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Jan 20 06:03:34 2022 UTC