From: matt at bitwarehouse dot com
Operating system: CentOS 5 x64
PHP version: 5.2.11
PHP Bug Type: Scripting Engine problem
Bug description: segmentation fault when concatenating very large strings on
64bit linux
Description:
------------
When concatenating values to a string of length >= 2^31, a segmentation
fault will occur in memcpy on 64 bit Linux. This appears to be caused
by the signed int length of the string (overflowed to negative) being
cast to unsigned long long when added to an 8 byte pointer in
Zend/zend_operators.c:concat_function.
This also occurs in PHP 5.3.0.
In PHP 5.1.6, a fatal erealloc error would be issued when the variable
hit (2^31)+1 (INT_MAX) to prevent overflow. This however is gone in PHP
>5.2.
It is also unclear if PHP and its string functions are supposed to
support strings larger than 2GB.
Reproduce code:
---------------
<?php
// run me with: php -d memory_limit=-1
$s = str_repeat('A', pow(2,31));
$s .= 'B'; // fails with segfault
printf("strlen: %u last-char: %c", strlen($s), $s[pow(2,31)-1]);
?>
Expected result:
----------------
Either:
strlen: 2147483649 last-char: B
-or-
"FATAL: erealloc(): Unable to allocate XXX bytes"
with the understanding that strings cannot contain more than 2^31 bytes
Actual result:
--------------
PHP 5.2.11 and 5.3.0 were compiled with no configure arguments, no
patches, no extra extensions on 64bit CentOS 5.
E.g. ./configure && make
#presume a.php contains reproduce code
% ./sapi/cli/php -d memory_limit=-1 a.php
Segmentation fault
Backtrace of segfault:
Program received signal SIGSEGV, Segmentation fault.
0x0000003897a7bdc1 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0 0x0000003897a7bdc1 in memcpy () from /lib64/libc.so.6
#1 0x000000000060a520 in concat_function (result=<value optimized
out>, op1=0x1c32ba60, op2=0x1c32c850) at /home/matt/tmp/php-
5.2.11/Zend/zend_operators.c:1208
#2 0x0000000000676623 in zend_binary_assign_op_helper_SPEC_CV_CONST
(binary_op=0x60a3c0 <concat_function>, execute_data=0x7fff4e789070) at
/home/matt/tmp/php-5.2.11/Zend/zend_vm_execute.h:21034
#3 0x000000000062fd73 in execute (op_array=0x1c32c278) at
/home/matt/tmp/php-5.2.11/Zend/zend_vm_execute.h:92
#4 0x00000000006117a3 in zend_execute_scripts (type=8,
retval=0x2b47b33ea030, file_count=3) at /home/matt/tmp/php-
5.2.11/Zend/zend.c:1134
#5 0x00000000005d164b in php_execute_script
(primary_file=0x7fff4e78b6e0) at /home/matt/tmp/php-
5.2.11/main/main.c:2020
#6 0x000000000069100c in main (argc=4, argv=0x7fff4e78b8d8) at
/home/matt/tmp/php-5.2.11/sapi/cli/php_cli.c:1162
--
Edit bug report at http://bugs.php.net/?id=50207&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=50207&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=50207&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=50207&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=50207&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=50207&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=50207&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=50207&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=50207&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=50207&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=50207&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=50207&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=50207&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=50207&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=50207&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50207&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=50207&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=50207&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=50207&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=50207&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=50207&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=50207&r=mysqlcfg
