Edit report at https://bugs.php.net/bug.php?id=63377&edit=1
ID: 63377 Updated by: larue...@php.net Reported by: miau dot jp at gmail dot com Summary: Segfault on output buffer > 2GB Status: Closed Type: Bug Package: Output Control Operating System: Linux PHP Version: 5.3.18 -Assigned To: mike +Assigned To: laruence Block user comment: N Private report: N New Comment: The fix for this bug has been committed. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2012-11-30 06:50:15] larue...@php.net Automatic comment on behalf of laruence Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2 Log: Fixed bug #63377 (Segfault on output buffer) ------------------------------------------------------------------------ [2012-11-30 06:49:42] larue...@php.net Automatic comment on behalf of laruence Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2 Log: Fixed bug #63377 (Segfault on output buffer) ------------------------------------------------------------------------ [2012-11-30 06:49:16] larue...@php.net Automatic comment on behalf of laruence Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2 Log: Fixed bug #63377 (Segfault on output buffer) ------------------------------------------------------------------------ [2012-11-30 06:48:42] larue...@php.net Automatic comment on behalf of laruence Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff6c9e2726ab724707999ed651d1a414336665f2 Log: Fixed bug #63377 (Segfault on output buffer) ------------------------------------------------------------------------ [2012-10-28 19:59:33] miau dot jp at gmail dot com Description: ------------ Storing data more than 2GB cause a segmentation fault. This problem seems occur on implicit use of output buffer, such as print_r($val, true). I ran the test script with GDB. ---- (gdb) run ob.php Starting program: /usr/local/php-5.3.18/bin/php ob.php warning: no loadable sections found in added symbol-file system-supplied DSO at 0x2aaaaaaab000 [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x0000000000597cb3 in php_ob_append (text=0x2aaaae1ae070 'a' <repeats 200 times>..., text_length=104857600) at /usr/local/src/php-5.3.18/main/output.c:616 616 memcpy(target, text, text_length); (gdb) l 607,616 607 static inline void php_ob_append(const char *text, uint text_length TSRMLS_DC) 608 { 609 char *target; 610 int original_ob_text_length; 611 612 original_ob_text_length=OG(active_ob_buffer).text_length; 613 614 php_ob_allocate(text_length TSRMLS_CC); 615 target = OG(active_ob_buffer).buffer+original_ob_text_length; 616 memcpy(target, text, text_length); (gdb) p target $1 = 0x2aaa379ef070 <Address 0x2aaa379ef070 out of bounds> (gdb) p output_globals.active_ob_buffer.buffer $2 = 0x2aaab45ef070 'a' <repeats 200 times>... (gdb) p original_ob_text_length $3 = -2092957696 original_ob_text_length is wrongly recognized as a negative value and address of target is less than output_globals.active_ob_buffer.buffer. Declaring original_ob_text_length as uint will fix this problem. Test script: --------------- <?php ini_set('memory_limit', '3072M'); ob_start(); for ($i = 0; $i < 22; $i++) { echo str_repeat('a', 100 * 1024 * 1024); } ob_end_clean(); Expected result: ---------------- # php ob.php (no error occurs) Actual result: -------------- (Since a fatal error sometimes cause ob_flush(), redirecting STDOUT is preferable.) # php ob.php > /dev/null Segmentation fault ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=63377&edit=1
