[2014-11-06 14:59 UTC] remi@php.net

Description:
------------
In some (hard to reproduce) run conditions, if memory limit is triggered during zend_hash_copy, zend_mm_heap can be corrupted (and can segfault during shutdown).

I think the problem occurs in _zend_hash_index_update_or_next_insert, on
   p  = (Bucket *) pemalloc_rel(sizeof(Bucket), ht->persistent);

5.6 also affected


Test script:
---------------
<?php
error_reporting(E_ALL);
set_time_limit(5);
ini_set('memory_limit', '256M');
$arrayLarge = array_fill(0, 1010911, '*');
echo "Running 5/50 (get_defined_vars).\n";
$array_get_defined_vars_5 = get_defined_vars();
echo "Running 14/50 (array_merge).\n";
$array_array_merge_14 = array_merge($arrayLarge, $array_get_defined_vars_5);
echo "Running 30/50 (exec).\n";
$string_exec_30 = exec(false, $arrayLarge);


Expected result:
----------------
Running 5/50 (get_defined_vars).
Running 14/50 (array_merge).
Running 30/50 (exec).
PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to allocate 72 bytes) in /home/rcollet/work/0d22753b8b97c56a401d760b9580a08b.php on line 11
zend_mm_heap corrupted


Actual result:
--------------
Running 5/50 (get_defined_vars).
Running 14/50 (array_merge).
Running 30/50 (exec).
PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to allocate 72 bytes) in /home/rcollet/work/0d22753b8b97c56a401d760b9580a08b.php on line 11
zend_mm_heap corrupted