PHP :: Bug #81070 :: Integer underflow in memory limit comparison

Bug #81070	Integer underflow in memory limit comparison
Submitted:	2021-05-22 10:46 UTC	Modified:	2021-05-22 10:53 UTC
From:	pvandommelen at gmail dot com	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	7.3.28	OS:
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	pvandommelen at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2021-05-22 10:46 UTC] pvandommelen at gmail dot com

Description:
------------
When more memory is allocated, the currently allocated memory is compared to the limit. There is currently an integer underflow problem when the limit is lower than the currently allocated memory. This can occur when the memory limit is changed dynamically through `set_ini("memory_limit", ..)`.

This was introduced in 7.2.23 and also exists in 7.3.10 and all versions of 7.4 and 8.0.
https://github.com/php/php-src/commit/16d35eb643bf974554e5264021ee10fc969e2053

The code sample illustrates the problem. Allocation after the memory limit is reduced should throw an error. 

The old behaviour can probably be reintroduced by also verifying that the memory limit is higher than the currently allocated memory.

Test script:
---------------
https://3v4l.org/egq60

```
<?php
echo sprintf("\n%.1fMB", memory_get_usage(true) / 1024 / 1024);

// allocate a large byte string of around 5 MB
$a = str_repeat("0", 5 * 1024 * 1024);
echo sprintf("\n%.1fMB", memory_get_usage(true) / 1024 / 1024);

// setting the memory limit lower than the current is accepted
ini_set("memory_limit", "3M");
echo sprintf("\n%.1fMB", memory_get_usage(true) / 1024 / 1024);

// further allocation beyond the limit
$b = str_repeat("0", 5 * 1024 * 1024);
echo sprintf("\n%.1fMB", memory_get_usage(true) / 1024 / 1024);
```

Patches

Add a Patch

Pull Requests

Pull requests:

Fix #81070: Integer underflow when memory limit is exceeded (php-src/7040)

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-05-22 10:53 UTC] pvandommelen at gmail dot com

-Summary: Regression in 7.4.6 when yielding an array based generator +Summary: Integer underflow in memory limit comparison

[2021-05-22 10:53 UTC] pvandommelen at gmail dot com

Browser autofilled the title an old bug report

[2021-05-24 09:40 UTC] pvandommelen at gmail dot com

The following pull request has been associated:

Patch Name: Fix #81070: Integer underflow when memory limit is exceeded
On GitHub:  https://github.com/php/php-src/pull/7040
Patch:      https://github.com/php/php-src/pull/7040.patch

[2021-05-31 13:25 UTC] git@php.net

Automatic comment on behalf of pvandommelen (author) and nikic (committer)
Revision: https://github.com/php/php-src/commit/1b3b5c94e52d10eb7a3f69b486a51b3f4d214d4f
Log: Fixed bug #81070

[2021-05-31 13:25 UTC] git@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 26 03:01:32 2024 UTC