#32403 [NEW]: PHP does not free memory, occupied by cross-referencing objects
From: valyala at tut dot by Operating system: any PHP version: Irrelevant PHP Bug Type: Zend Engine 2 problem Bug description: PHP does not free memory, occupied by cross-referencing objects Description: See reproducible code below Reproduce code: --- $a, ); // construct parent $parent = array( 'data' => $a, 'child' => &$child, ); // comment following line to prevent memleak $child['parent'] = &$parent; } // try to leak of 1GB memory for ($i = 0; $i < 1000; $i++) memleak(100); sleep(10); ?> Expected result: normal execution of script Actual result: -- PHP occupies all available memory. -- Edit bug report at http://bugs.php.net/?id=32403&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=32403&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=32403&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=32403&r=trysnapshot51 Fixed in CVS:http://bugs.php.net/fix.php?id=32403&r=fixedcvs Fixed in release:http://bugs.php.net/fix.php?id=32403&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=32403&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=32403&r=needscript Try newer version: http://bugs.php.net/fix.php?id=32403&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=32403&r=support Expected behavior: http://bugs.php.net/fix.php?id=32403&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=32403&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=32403&r=submittedtwice register_globals:http://bugs.php.net/fix.php?id=32403&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=32403&r=php3 Daylight Savings:http://bugs.php.net/fix.php?id=32403&r=dst IIS Stability: http://bugs.php.net/fix.php?id=32403&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=32403&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=32403&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=32403&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=32403&r=mysqlcfg
#28064 [Com]: php crashes with big scripts
ID: 28064 Comment by: valyala at tut dot by Reported By: gross at schlund dot de Status: Assigned Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 4.3.6 Assigned To: andi New Comment: Here is a much smaller script, which consumes 99% of CPU and all avaible on my PHP 4.3.7 under Apache 1.3.31, Win2k, 512Mb RAM, 1Gb swap. Previous Comments: [2004-05-13 18:48:45] phpbugs at hagemeister dot cc Tested the script on several different machines, they all crash when i use the test-script. - Debian woody + php 4.12 (From package) - Debian woody + php 4.36 (Compiled) - Debian woody + php 4.37-dev (Compiled from php4-STABLE-200405131230.tar.gz) - SuSE 8.0 + php 4.23 (SuSE RPM) - SuSE 8.0 + php 4.36 (Compiled) [2004-04-27 14:00:34] martin dot hoffmann at schlund dot de The problem is with the do_alloca() in zend_execute.c:1041. The test script causes it to allocate 14 MByte of stack thereby kicking the stack into unchartered territory and making subsequent function calls fail. [2004-04-20 09:08:39] gross at schlund dot de compiling PHP without --enable-memory-limit and running the given script results in a crash and the follwoing backtrace: (gdb) bt #0 0x081a0d85 in execute (op_array=0x8325be4) at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:1266 #1 0x08193238 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886 #2 0x0816c853 in php_execute_script (primary_file=0xb588) at /usr/src/kundenserver/php-4.3.6/main/main.c:1731 #3 0x081abc73 in main (argc=2, argv=0xb604) at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592 (gdb) You can find the binaryat http://www.andigross.de/phpcrash/phpbinary-without-memory-limit.gz and the core at http://www.andigross.de/phpcrash/core-without-memory-limit.gz [2004-04-19 21:34:39] [EMAIL PROTECTED] Although it didn't actually crash for me, valgrind showed the following errors: ==7233== Invalid write of size 4 ==7233==at 0x8213D75: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8213D80: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8213D87: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211CC5: zend_fetch_var_address (zend_execute.c:559) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211CCC: zend_fetch_var_address (zend_execute.c:559) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211CE4: zend_fetch_var_address (zend_execute.c:564) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211E31: zend_fetch_var_address (zend_execute.c:591) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211EF5: zend_fetch_var_address (zend_execute.c:611) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211F73: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211F87: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8211F8D: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211F90: zend_fetch_var_address (zend_execute.c:621) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E39: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E44: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E4E: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x82195BB: _get_zval_ptr (zend_execute.c:73) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x82195EF: _get_zv
#28673 [NEW]: readfile() crashes on huge local files
From: valyala at tut dot by
Operating system: any with MMAP support
PHP version: 4.3.7
PHP Bug Type: Output Control
Bug description: readfile() crashes on huge local files
Description:
When I try to print huge files (greater than 500Mb) using readfile()
function, my computer crashes.
I found in the PHP 4.3.7 sources the file /main/strems.c and function
_php_stream_passthru() in it.
The readfile() uses this function to print content of the file.
Below you can see source of the function with my comments:
===
PHPAPI size_t _php_stream_passthru(php_stream * stream STREAMS_DC
TSRMLS_DC)
{
size_t bcount = 0;
int ready = 0;
char buf[8192];
#ifdef HAVE_MMAP
int fd;
#endif
#ifdef HAVE_MMAP
if (!php_stream_is(stream, PHP_STREAM_IS_SOCKET)
&& stream->filterhead == NULL
&& php_stream_tell(stream) == 0
&& SUCCESS == php_stream_cast(stream, PHP_STREAM_AS_FD,
(void*)&fd, 0))
{
struct stat sbuf;
off_t off; /* !!! offset == 0 (see above condition
[php_stream_tell(stream) == 0] ) */
void *p;
size_t len;
fstat(fd, &sbuf); /* !!! missing error check after this line */
if (sbuf.st_size > sizeof(buf)) {
off = php_stream_tell(stream); /* !!! offset == 0 (see above)
*/
len = sbuf.st_size - off;
/* suppose len > 1 Gb, machine has 128Mb RAM and 128Mb swap.
What happens after the next
line? */
p = mmap(0, len, PROT_READ, MAP_SHARED, fd, off); /* !!! why
MAP_SHARED, not MAP_PRIVATE ?
First parameter of the mmap is (void *) type,
not (int) */
if (p != (void *) MAP_FAILED) {
BG(mmap_file) = p; /* !!! what sense of this and next
string? Thread safety?
I don't understand how it works here */
BG(mmap_len) = len;
PHPWRITE(p, len);
BG(mmap_file) = NULL; /* !!! thread safety? ok. why there
is not BG(mmap_len) = 0 on
the next line ? */
munmap(p, len); /* !!! missing error check after munmap
*/
bcount += len;
ready = 1;
}
}
}
#endif
if(!ready) {
int b;
while ((b = php_stream_read(stream, buf, sizeof(buf))) > 0) {
PHPWRITE(buf, b);
bcount += b;
}
}
return bcount;
}
===
And here you can see my version of the function:
===
PHPAPI size_t _php_stream_passthru(php_stream * stream STREAMS_DC
TSRMLS_DC)
{
size_t bcount = 0; /* counter of printed out bytes */
int is_mapped = 0;
char buf[8192];
size_t buf_len = sizeof(buf);
#ifdef HAVE_MMAP
int fd;
if (!php_stream_is(stream, PHP_STREAM_IS_SOCKET)
&& stream->filterhead == NULL
&& php_stream_tell(stream) == 0
&& SUCCESS == php_stream_cast(stream, PHP_STREAM_AS_FD,
(void*)&fd, 0))
{
is_mapped = 1;
buf_len = 1024 * 1024; /* default length of the mapped memory */
struct stat sbuf;
void *p; /* pinter to the mapped part of file */
size_t len;
/* get the length of local file connected to descriptor fd */
fstat(fd, &sbuf);
if (errno) {
/* cannot get length of file */
php_error_docref(NULL TSRMLS_CC, E_ERROR, "cannot get length
of the file");
return bcount;
}
len = (size_t) sbuf.st_size;
/* print to the output buffer file contents */
while (bcount < len) {
if (len - bcount < buf_len) buf_len = len - bcount;
p = mmap(NULL, buf_len, PROT_READ, MAP_PRIVATE, fd, (off_t)
bcount); /* try to map part of
the file to memory */
if (p == (void *) MAP_FAILED) {
/* error when mapping part of the file to memory */
php_error_docref(NULL TSRMLS_CC, E_ERROR, "mmap error:
cannot map part of the file to
memory");
break;
}
PHPWRITE(p, buf_len);
munmap(p, buf_len); /* try to unmap allocated memory */
if (errno) {
/* error when unmapping memory */
php_error_docref(NULL TSRMLS_CC, E_ERROR, "mmap error:
cannot unmap allocated memory");
break;
}
bcount += buf_len;
}
}
#endif
if (!is_mapped) {
/* print to the output buffer stream contents */
while ((buf_len = php_stream_read(stream, buf, sizeof(buf))) > 0)
{
PHPWRITE(buf, buf_len);
bcount += buf_len;
}
}
return bcount;
}
Reproduce code:
-
#26597 [Fbk->Csd]: missing all slashes in the path $_FILES['any_file']['tmp_name']
ID: 26597 User updated by: valyala at tut dot by Reported By: valyala at tut dot by -Status: Feedback +Status: Closed -Bug Type: Scripting Engine problem +Bug Type: Strings related Operating System: Win2k sp3 PHP Version: 4.3.4 New Comment: I found my error. My script was doing something like this: if (get_magic_quotes_gpc()) $_FILES['any_file']['tmp_name'] = stripslashes($_FILES['any_file']['tmp_name']); :) But I can't understand why function stripslashes() strips all backslashes, not only before special characters [0, \, ', "], which escapes function addlashes(). Previous Comments: [2003-12-14 20:41:43] [EMAIL PROTECTED] Try this: print(addslashes($_FILES['any_file']['tmp_name'])); -------------------- [2003-12-12 04:50:43] valyala at tut dot by Description: PHP 4.3.4 is running under apache 1.3.27 as module. Value of $_FILES['any_file']['tmp_name'] is wrong. All slashes in the path has been deleted. So, I cannot know the real filename of temporary file. Reproduce code: --- /* file with name 'any_file' was posted to the script I want to see, where the temporary file was stored on the server: */ print($_FILES['any_file']['tmp_name']); Expected result: c:/winnt/temp/phpXX.tmp Actual result: -- c:winnttempphpXX.tmp -- Edit this bug report at http://bugs.php.net/?id=26597&edit=1
#26597 [NEW]: missing all slashes in the path $_FILES['any_file']['tmp_name']
From: valyala at tut dot by Operating system: Win2k sp3 PHP version: 4.3.4 PHP Bug Type: Scripting Engine problem Bug description: missing all slashes in the path $_FILES['any_file']['tmp_name'] Description: PHP 4.3.4 is running under apache 1.3.27 as module. Value of $_FILES['any_file']['tmp_name'] is wrong. All slashes in the path has been deleted. So, I cannot know the real filename of temporary file. Reproduce code: --- /* file with name 'any_file' was posted to the script I want to see, where the temporary file was stored on the server: */ print($_FILES['any_file']['tmp_name']); Expected result: c:/winnt/temp/phpXX.tmp Actual result: -- c:winnttempphpXX.tmp -- Edit bug report at http://bugs.php.net/?id=26597&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26597&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26597&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=26597&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=26597&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=26597&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=26597&r=needscript Try newer version: http://bugs.php.net/fix.php?id=26597&r=oldversion Not developer issue:http://bugs.php.net/fix.php?id=26597&r=support Expected behavior: http://bugs.php.net/fix.php?id=26597&r=notwrong Not enough info:http://bugs.php.net/fix.php?id=26597&r=notenoughinfo Submitted twice:http://bugs.php.net/fix.php?id=26597&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=26597&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26597&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=26597&r=dst IIS Stability: http://bugs.php.net/fix.php?id=26597&r=isapi Install GNU Sed:http://bugs.php.net/fix.php?id=26597&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=26597&r=float
#25793 [Fbk->Opn]: special POST or GET query crashes PHP under Windows
ID: 25793 User updated by: valyala at tut dot by Reported By: valyala at tut dot by -Status: Feedback +Status: Open Bug Type: Reproducible crash Operating System: Win2k sp3, WinXP, Win2003 -PHP Version: 4.3.3 and older +PHP Version: 4.3.3RC1 - RC4 New Comment: I am using Apache 1.3.27 webserver. This string is in apache's httpd.conf file: LoadModule php4_module "c:/usr/bin/php/sapi/php4apache.dll" Previous Comments: [2003-10-13 03:26:56] [EMAIL PROTECTED] I can not reproduce this within WinXP + Apache2 (PHP as apache2 module). What SAPI module are you using? (isapi,apache1/2, CGI binary..) Webserver? [2003-10-08 09:34:18] valyala at tut dot by Description: this query strings crashes PHP under Windows: 1[] 437378[index] 232[index]=value&something_else the query string must begins with any decimal number, following braces with optional index string. Sorry for my English :) Reproduce code: --- GET /any_php_script.php?1[] HTTP/1.1 Expected result: If my script looks like this: I expected: Array ( [1] => Array ( [0] => ) ) Actual result: -- No response headers received because request failed : ERROR_INTERNET_CONNECTION_RESET And windows shows error message: "Apache.exe has generated errors and will be closed by Windows. You will need to restart the program" -- Edit this bug report at http://bugs.php.net/?id=25793&edit=1
#25793 [Opn]: special POST or GET query crashes PHP under Windows
ID: 25793 User updated by: valyala at tut dot by Reported By: valyala at tut dot by Status: Open Bug Type: Reproducible crash -Operating System: Win2k sp3 +Operating System: Win2k sp3, WinXP, Win2003 -PHP Version: 4.3.3 +PHP Version: 4.3.3 and older New Comment: 2 Stephen at ediassociates dot com: Is your webserver running under windows NT ? If yes, try this link to reproduce the bug: http://localhost/login/link.php?32432[] I think, this bug is useful for dos-attacks ;) Previous Comments: [2003-10-08 14:32:00] Stephen at ediassociates dot com Close, mine doesn't crash the server; however, it doesn't return any values. My link is "http://localhost/login/link.php?SesId=67394710"; but when I place the following code in link.php I get "The sessionId is" and nothing else. ---- [2003-10-08 09:34:18] valyala at tut dot by Description: this query strings crashes PHP under Windows: 1[] 437378[index] 232[index]=value&something_else the query string must begins with any decimal number, following braces with optional index string. Sorry for my English :) Reproduce code: --- GET /any_php_script.php?1[] HTTP/1.1 Expected result: If my script looks like this: I expected: Array ( [1] => Array ( [0] => ) ) Actual result: -- No response headers received because request failed : ERROR_INTERNET_CONNECTION_RESET And windows shows error message: "Apache.exe has generated errors and will be closed by Windows. You will need to restart the program" -- Edit this bug report at http://bugs.php.net/?id=25793&edit=1
#25793 [NEW]: special POST or GET query crashes PHP under Windows
From: valyala at tut dot by Operating system: Win2k sp3 PHP version: 4.3.3 PHP Bug Type: Reproducible crash Bug description: special POST or GET query crashes PHP under Windows Description: this query strings crashes PHP under Windows: 1[] 437378[index] 232[index]=value&something_else the query string must begins with any decimal number, following braces with optional index string. Sorry for my English :) Reproduce code: --- GET /any_php_script.php?1[] HTTP/1.1 Expected result: If my script looks like this: I expected: Array ( [1] => Array ( [0] => ) ) Actual result: -- No response headers received because request failed : ERROR_INTERNET_CONNECTION_RESET And windows shows error message: "Apache.exe has generated errors and will be closed by Windows. You will need to restart the program" -- Edit bug report at http://bugs.php.net/?id=25793&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25793&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25793&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=25793&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=25793&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=25793&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=25793&r=oldversion Not developer issue:http://bugs.php.net/fix.php?id=25793&r=support Expected behavior: http://bugs.php.net/fix.php?id=25793&r=notwrong Not enough info:http://bugs.php.net/fix.php?id=25793&r=notenoughinfo Submitted twice:http://bugs.php.net/fix.php?id=25793&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=25793&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25793&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=25793&r=dst IIS Stability: http://bugs.php.net/fix.php?id=25793&r=isapi Install GNU Sed:http://bugs.php.net/fix.php?id=25793&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=25793&r=float
