On Tue, Sep 16, 2014 at 9:43 AM, Anatol Belski <a...@php.net> wrote:
> Hi Nikita,
>
> > Are you sure about this? I can set memory_limit to -1, which is then cast
> > to size_t, resulting in a limit > ZEND_LONG_MAX.
> >
> >
> > I tried the following in a 32bit VM with -dmemory_limit=-1 and got a
> > segfault:
> >
> >
> >
> > <?php
> >
> >
> > $str = str_repeat('x', PHP_INT_MAX);
> > $str .= 'yyy';
> >
> >
> > $str[1] = 'a';
> >
> >
> >
> > There is no crash if I cast offset to (size_t) instead.
> >
> >
> I redone it by your suggestion. Still I've a crash on Windows x86. It's
> however already in str_repeat() in allocation
>
> > php7ts_debug.dll!zend_string_safe_alloc(unsigned int n, unsigned
> int m,
> unsigned int l, int persistent) Line 117 C
> php7ts_debug.dll!zif_str_repeat(unsigned int param_count,
> _zval_struct *
> return_value, void * * * tsrm_ls) Line 4738 C
> php7ts_debug.dll!ZEND_DO_FCALL_SPEC_HANDLER(_zend_execute_data *
> execute_data, void * * * tsrm_ls) Line 593 C
> php7ts_debug.dll!execute_ex(_zend_execute_data * execute_data,
> void * *
> * tsrm_ls) Line 352 C
> php7ts_debug.dll!zend_execute(_zend_op_array * op_array,
> _zval_struct *
> return_value, void * * * tsrm_ls) Line 381 C
> php7ts_debug.dll!zend_execute_scripts(int type, void * * * tsrm_ls,
> _zval_struct * retval, int file_count, ...) Line 1345 C
> php7ts_debug.dll!php_execute_script(_zend_file_handle *
> primary_file,
> void * * * tsrm_ls) Line 2560 C
>
> If you say you had that fixed with reversing the cast, then I might see a
> win only issue. Looking further.
>
This is likely just an OOM allocation failure. The new MM didn't yet do OOM
checks, but Dmitry committed a fix for that just now. Does it work for you
now? ("Work" as in throw an error ^^)
Nikita
