php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78326 improper memory deallocation on stream_get_contents() with fixed lenght buffer
Submitted: 2019-07-23 12:02 UTC Modified: -
From: albertcasademont at gmail dot com Assigned:
Status: Closed Package: Streams related
PHP Version: 7.2.21RC1 OS: Alpine Linux 3.10
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: albertcasademont at gmail dot com
New email:
PHP Version: OS:

 

 [2019-07-23 12:02 UTC] albertcasademont at gmail dot com
Description:
------------
When calling stream_get_contents() with a fixed length buffer, the memory allocated for that buffer is not freed even though the actual data might be much shorter than the allocated buffer. This can potentially crash the script just after a couple of stream_get_contents() calls due to memory issues.

If we don't specify a fixed lenght buffer, php will correctly reallocate the string to the exact amount of data read. This would also be the expected thing to do even if we fix the buffer length.



Test script:
---------------
<?php

$f = tmpfile();
fwrite($f, '.');

$chunks = array();
for ($i = 0; $i < 1000; ++$i) {
    rewind($f);
    $chunks[] = stream_get_contents($f, 1000000);
}
var_dump(count($chunks));

Expected result:
----------------
int(1000)

Actual result:
--------------
Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 1003520 bytes) in /in/HP2U9 on line 9

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-23 12:05 UTC] albertcasademont at gmail dot com
PR: https://github.com/php/php-src/pull/4464
 [2019-07-23 12:06 UTC] albertcasademont at gmail dot com
The following pull request has been associated:

Patch Name: fix #78326 memory issues with stream_get_contents() fixed length buffer
On GitHub:  https://github.com/php/php-src/pull/4464
Patch:      https://github.com/php/php-src/pull/4464.patch
 [2019-07-29 15:35 UTC] nikic@php.net
Automatic comment on behalf of albertcasademont@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dc7aa22b18b710aaa837c9466e9a77241f909c8a
Log: Fix bug #78326
 [2019-07-29 15:35 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 08:01:24 2019 UTC