#50207 [NEW]: segmentation fault when concatenating very large strings on 64bit linux
From: matt at bitwarehouse dot com Operating system: CentOS 5 x64 PHP version: 5.2.11 PHP Bug Type: Scripting Engine problem Bug description: segmentation fault when concatenating very large strings on 64bit linux Description: When concatenating values to a string of length = 2^31, a segmentation fault will occur in memcpy on 64 bit Linux. This appears to be caused by the signed int length of the string (overflowed to negative) being cast to unsigned long long when added to an 8 byte pointer in Zend/zend_operators.c:concat_function. This also occurs in PHP 5.3.0. In PHP 5.1.6, a fatal erealloc error would be issued when the variable hit (2^31)+1 (INT_MAX) to prevent overflow. This however is gone in PHP 5.2. It is also unclear if PHP and its string functions are supposed to support strings larger than 2GB. Reproduce code: --- ?php // run me with: php -d memory_limit=-1 $s = str_repeat('A', pow(2,31)); $s .= 'B'; // fails with segfault printf(strlen: %u last-char: %c, strlen($s), $s[pow(2,31)-1]); ? Expected result: Either: strlen: 2147483649 last-char: B -or- FATAL: erealloc(): Unable to allocate XXX bytes with the understanding that strings cannot contain more than 2^31 bytes Actual result: -- PHP 5.2.11 and 5.3.0 were compiled with no configure arguments, no patches, no extra extensions on 64bit CentOS 5. E.g. ./configure make #presume a.php contains reproduce code % ./sapi/cli/php -d memory_limit=-1 a.php Segmentation fault Backtrace of segfault: Program received signal SIGSEGV, Segmentation fault. 0x003897a7bdc1 in memcpy () from /lib64/libc.so.6 (gdb) bt #0 0x003897a7bdc1 in memcpy () from /lib64/libc.so.6 #1 0x0060a520 in concat_function (result=value optimized out, op1=0x1c32ba60, op2=0x1c32c850) at /home/matt/tmp/php- 5.2.11/Zend/zend_operators.c:1208 #2 0x00676623 in zend_binary_assign_op_helper_SPEC_CV_CONST (binary_op=0x60a3c0 concat_function, execute_data=0x7fff4e789070) at /home/matt/tmp/php-5.2.11/Zend/zend_vm_execute.h:21034 #3 0x0062fd73 in execute (op_array=0x1c32c278) at /home/matt/tmp/php-5.2.11/Zend/zend_vm_execute.h:92 #4 0x006117a3 in zend_execute_scripts (type=8, retval=0x2b47b33ea030, file_count=3) at /home/matt/tmp/php- 5.2.11/Zend/zend.c:1134 #5 0x005d164b in php_execute_script (primary_file=0x7fff4e78b6e0) at /home/matt/tmp/php- 5.2.11/main/main.c:2020 #6 0x0069100c in main (argc=4, argv=0x7fff4e78b8d8) at /home/matt/tmp/php-5.2.11/sapi/cli/php_cli.c:1162 -- Edit bug report at http://bugs.php.net/?id=50207edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=50207r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=50207r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=50207r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=50207r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=50207r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=50207r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=50207r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=50207r=needscript Try newer version: http://bugs.php.net/fix.php?id=50207r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=50207r=support Expected behavior: http://bugs.php.net/fix.php?id=50207r=notwrong Not enough info: http://bugs.php.net/fix.php?id=50207r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=50207r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=50207r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50207r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=50207r=dst IIS Stability: http://bugs.php.net/fix.php?id=50207r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=50207r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=50207r=float No Zend Extensions: http://bugs.php.net/fix.php?id=50207r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=50207r=mysqlcfg
#50207 [Com]: segmentation fault when concatenating very large strings on 64bit linux
ID: 50207 Comment by: matt at bitwarehouse dot com Reported By: matt at bitwarehouse dot com Status: Open Bug Type: Scripting Engine problem Operating System: CentOS 5 x64 PHP Version: 5.2.11 New Comment: Clarification. The reproduce code should be: ?php // run me with: php -d memory_limit=-1 $s = str_repeat('A', pow(2,31)); $s .= 'B'; // fails with segfault printf(strlen: %u last-char: %c, strlen($s), $s[pow(2,31)]); ? Previous Comments: [2009-11-17 18:27:41] matt at bitwarehouse dot com Description: When concatenating values to a string of length = 2^31, a segmentation fault will occur in memcpy on 64 bit Linux. This appears to be caused by the signed int length of the string (overflowed to negative) being cast to unsigned long long when added to an 8 byte pointer in Zend/zend_operators.c:concat_function. This also occurs in PHP 5.3.0. In PHP 5.1.6, a fatal erealloc error would be issued when the variable hit (2^31)+1 (INT_MAX) to prevent overflow. This however is gone in PHP 5.2. It is also unclear if PHP and its string functions are supposed to support strings larger than 2GB. Reproduce code: --- ?php // run me with: php -d memory_limit=-1 $s = str_repeat('A', pow(2,31)); $s .= 'B'; // fails with segfault printf(strlen: %u last-char: %c, strlen($s), $s[pow(2,31)-1]); ? Expected result: Either: strlen: 2147483649 last-char: B -or- FATAL: erealloc(): Unable to allocate XXX bytes with the understanding that strings cannot contain more than 2^31 bytes Actual result: -- PHP 5.2.11 and 5.3.0 were compiled with no configure arguments, no patches, no extra extensions on 64bit CentOS 5. E.g. ./configure make #presume a.php contains reproduce code % ./sapi/cli/php -d memory_limit=-1 a.php Segmentation fault Backtrace of segfault: Program received signal SIGSEGV, Segmentation fault. 0x003897a7bdc1 in memcpy () from /lib64/libc.so.6 (gdb) bt #0 0x003897a7bdc1 in memcpy () from /lib64/libc.so.6 #1 0x0060a520 in concat_function (result=value optimized out, op1=0x1c32ba60, op2=0x1c32c850) at /home/matt/tmp/php- 5.2.11/Zend/zend_operators.c:1208 #2 0x00676623 in zend_binary_assign_op_helper_SPEC_CV_CONST (binary_op=0x60a3c0 concat_function, execute_data=0x7fff4e789070) at /home/matt/tmp/php-5.2.11/Zend/zend_vm_execute.h:21034 #3 0x0062fd73 in execute (op_array=0x1c32c278) at /home/matt/tmp/php-5.2.11/Zend/zend_vm_execute.h:92 #4 0x006117a3 in zend_execute_scripts (type=8, retval=0x2b47b33ea030, file_count=3) at /home/matt/tmp/php- 5.2.11/Zend/zend.c:1134 #5 0x005d164b in php_execute_script (primary_file=0x7fff4e78b6e0) at /home/matt/tmp/php- 5.2.11/main/main.c:2020 #6 0x0069100c in main (argc=4, argv=0x7fff4e78b8d8) at /home/matt/tmp/php-5.2.11/sapi/cli/php_cli.c:1162 -- Edit this bug report at http://bugs.php.net/?id=50207edit=1