php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78326 improper memory deallocation on stream_get_contents() with fixed lenght buffer
Submitted: 2019-07-23 12:02 UTC Modified: -
From: albertcasademont at gmail dot com Assigned:
Status: Closed Package: Streams related
PHP Version: 7.2.21RC1 OS: Alpine Linux 3.10
Private report: No CVE-ID: None
 [2019-07-23 12:02 UTC] albertcasademont at gmail dot com
Description:
------------
When calling stream_get_contents() with a fixed length buffer, the memory allocated for that buffer is not freed even though the actual data might be much shorter than the allocated buffer. This can potentially crash the script just after a couple of stream_get_contents() calls due to memory issues.

If we don't specify a fixed lenght buffer, php will correctly reallocate the string to the exact amount of data read. This would also be the expected thing to do even if we fix the buffer length.



Test script:
---------------
<?php

$f = tmpfile();
fwrite($f, '.');

$chunks = array();
for ($i = 0; $i < 1000; ++$i) {
    rewind($f);
    $chunks[] = stream_get_contents($f, 1000000);
}
var_dump(count($chunks));

Expected result:
----------------
int(1000)

Actual result:
--------------
Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 1003520 bytes) in /in/HP2U9 on line 9

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-23 12:05 UTC] albertcasademont at gmail dot com
PR: https://github.com/php/php-src/pull/4464
 [2019-07-23 12:06 UTC] albertcasademont at gmail dot com
The following pull request has been associated:

Patch Name: fix #78326 memory issues with stream_get_contents() fixed length buffer
On GitHub:  https://github.com/php/php-src/pull/4464
Patch:      https://github.com/php/php-src/pull/4464.patch
 [2019-07-29 15:35 UTC] nikic@php.net
Automatic comment on behalf of albertcasademont@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dc7aa22b18b710aaa837c9466e9a77241f909c8a
Log: Fix bug #78326
 [2019-07-29 15:35 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 07:01:27 2024 UTC