Home Original page

PHP :: Bug #61273 :: call_user_func_array with more than 16333 arguments leaks

Bug #61273 call_user_func_array with more than 16333 arguments leaks / crashes
Submitted: 2012-03-04 15:24 UTC Modified: 2012-03-11 15:29 UTC
From: nikic@php.net Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4SVN-2012-03-04 (SVN) OS:
Private report: No CVE-ID: None

 [2012-03-04 15:24 UTC] nikic@php.net

Description:
------------
The following code:

call_user_func_array(function(&$a) {}, $array = array_fill(0, 16334, "*"));

Produces this output:

Warning: Parameter 1 to {closure}() expected to be a reference, value given in Command line code on line 1
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(832) :  Freeing 0xB72FC03C (36 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(412) : Actual location (location was relayed)
Last leak repeated 16333 times
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(376) :  Freeing 0xB744103C (65536 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_alloc.c(2529) : Actual location (location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_API.c(315) :  Freeing 0xB74C0D50 (44 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(134) : Actual location (location was relayed)
Last leak repeated 1 time
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(6788) :  Freeing 0xB78560A8 (20 bytes), script=-
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2378) :  Freeing 0xB7857380 (2 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(121) : Actual location (location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2375) :  Freeing 0xB7858360 (20 bytes), script=-
=== Total 16340 memory leaks detected ===

If you do some more stuff after the call PHP will eventually segfault.

This only happens if the *first* argument of the callback is by-ref and only happens after a certain number of arguments (for me it starts with 16334). That's why I guess that this has something to do with http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#862 (i == 0 => branch not entered) and http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#851 (as it is only for large argument numbers).

Patches

call_user_func_array.patch (last revision 2012-03-04 16:00 UTC by nikic@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2012-03-04 15:33 UTC] nikic@php.net

Just checked with gdb and it seems that this indeed only happens if the stack is resized.

 [2012-03-04 15:53 UTC] nikic@php.net

The issue is indeed the if(i). Commenting it out fixes the problem.

 [2012-03-04 17:44 UTC] pajoye@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry