RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1071344 - PHP segfault's when you try and allocate an SplFixedArray with size >= 9999
Summary: PHP segfault's when you try and allocate an SplFixedArray with size >= 9999
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: php
Version: 6.5
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Remi Collet
QA Contact: Petr Šplíchal
URL:
Whiteboard:
Depends On:
Blocks: 1075802 1172231
TreeView+ depends on / blocked
 
Reported: 2014-02-28 14:41 UTC by Coty Sutherland
Modified: 2021-01-14 09:24 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-10 21:37:48 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
PHP script to reproduce behavior. (460 bytes, text/plain)
2014-02-28 14:42 UTC, Coty Sutherland 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
PHP Bug Tracker 54609 0 None None None Never
PHP Bug Tracker 55660 0 None None None Never
Red Hat Product Errata RHBA-2016:0842 0 normal SHIPPED_LIVE php bug fix update 2016-05-10 22:42:34 UTC

Description Coty Sutherland 2014-02-28 14:41:03 UTC 
Description of problem:
When trying to fill an SplFixedArray object of length >= 9999 you get a segfault.

Version-Release number of selected component (if applicable):
6.5

How reproducible:
Every time when running with a PHP version < 5.3.8.

Steps to Reproduce:
1. Execute attached script.
2.
3.

Actual results:
With LENGTH < 9999: works fine.
With LENGTH >= 9999: Either a segfault or a 'zend_mm_heap_corrupted' error depending on whether the inner array is a regular array or a fixed array.
Output:
Array
 *RECURSION*Array
 ....
 *RECURSION*Array
(
Segmentation fault (core dumped)

Expected results:
Array
(
    [0] => test
    [1] => test2
)
.... // repeated about 9998 times

Additional info:
This seems to occur with PHP versions less than 5.3.8. I attached a bug report from years ago that was for this problem, but was closed because the problem disappeared in later versions. I was unable to find where it was fixed though.
Comment 1 Coty Sutherland 2014-02-28 14:42:10 UTC 
Created attachment 869093 [details]
PHP script to reproduce behavior.
Comment 3 Remi Collet 2014-03-21 14:15:34 UTC 
I think this is related to upstream bug 54609.

Upstream fix:
http://git.php.net/?p=php-src.git;a=commit;h=0afd4bd18bef55d8bce4d0fe854a65781477029a

This is related to the garbage collector.

With the provided reproducer, and a regular array

  $ php -d zend.enable_gc=1 /tmp/foo.php
  Array
   *RECURSION*Array
   ...
   *RECURSION*Array
  (
  Segmentation fault (core dumped)

With gc disabled => no segfault

  $ php -d zend.enable_gc=0 /tmp/foo.php
  ...
  Array
  (
      [0] => test
      [1] => test2
  )

With the provided reproducer, and a fixed array

  $ php -d zend.enable_gc=1 /tmp/foo.php 
  Segmentation fault (core dumped)

With gc disabled => no segfault

  $ php -d zend.enable_gc=0 /tmp/foo.php
  ...

         [8] => 
      [9] => 
  )

So can you please with test "zend.enable_gc=0" to confirm this.

Does the customer would be able to test a scratch build with this fix applied ?
Comment 4 Coty Sutherland 2014-03-24 14:22:40 UTC 
Hi Remi,

That works for me in my environment. I will pass it on the customer and verify it works for them and also check to see if they can test a build with the fix applied.



Thanks!
Comment 5 Coty Sutherland 2014-03-25 13:20:30 UTC 
> So can you please with test "zend.enable_gc=0" to confirm this.

"Yes -- disabling GC appears to make the segfault go away."

> Does the customer would be able to test a scratch build with this fix applied ?

They are willing to test a build if we get them one.
Comment 18 errata-xmlrpc 2016-05-10 21:37:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0842.html
Note You need to log in before you can comment on or make changes to this bug.