From: miau dot jp at gmail dot com
Operating system: Linux
PHP version: 5.3.18
Package: Output Control
Bug Type: Bug
Bug description:Segfault on output buffer > 2GB
Description:
------------
Storing data more than 2GB cause a segmentation fault. This problem seems
occur on implicit use of output buffer, such as print_r($val, true).
I ran the test script with GDB.
----
(gdb) run ob.php
Starting program: /usr/local/php-5.3.18/bin/php ob.php
warning: no loadable sections found in added symbol-file system-supplied
DSO at
0x2aaaaaaab000
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0x0000000000597cb3 in php_ob_append (text=0x2aaaae1ae070 'a' <repeats 200
times>..., text_length=104857600)
at /usr/local/src/php-5.3.18/main/output.c:616
616 memcpy(target, text, text_length);
(gdb) l 607,616
607 static inline void php_ob_append(const char *text, uint text_length
TSRMLS_DC)
608 {
609 char *target;
610 int original_ob_text_length;
611
612 original_ob_text_length=OG(active_ob_buffer).text_length;
613
614 php_ob_allocate(text_length TSRMLS_CC);
615 target =
OG(active_ob_buffer).buffer+original_ob_text_length;
616 memcpy(target, text, text_length);
(gdb) p target
$1 = 0x2aaa379ef070 <Address 0x2aaa379ef070 out of bounds>
(gdb) p output_globals.active_ob_buffer.buffer
$2 = 0x2aaab45ef070 'a' <repeats 200 times>...
(gdb) p original_ob_text_length
$3 = -2092957696
original_ob_text_length is wrongly recognized as a negative value and
address of target is less than output_globals.active_ob_buffer.buffer.
Declaring original_ob_text_length as uint will fix this problem.
Test script:
---------------
<?php
ini_set('memory_limit', '3072M');
ob_start();
for ($i = 0; $i < 22; $i++) {
echo str_repeat('a', 100 * 1024 * 1024);
}
ob_end_clean();
Expected result:
----------------
# php ob.php
(no error occurs)
Actual result:
--------------
(Since a fatal error sometimes cause ob_flush(), redirecting
STDOUT is preferable.)
# php ob.php > /dev/null
Segmentation fault
--
Edit bug report at https://bugs.php.net/bug.php?id=63377&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=63377&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=63377&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=63377&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=63377&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=63377&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=63377&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=63377&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=63377&r=oldversion
Not developer issue: https://bugs.php.net/fix.php?id=63377&r=support
Expected behavior: https://bugs.php.net/fix.php?id=63377&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=63377&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=63377&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=63377&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63377&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=63377&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=63377&r=isapi
Install GNU Sed: https://bugs.php.net/fix.php?id=63377&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=63377&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=63377&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=63377&r=mysqlcfg
