summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlbert Casademont <albertcasademont@gmail.com>2019-07-23 14:03:06 +0200
committerNikita Popov <nikita.ppv@gmail.com>2019-07-29 17:33:57 +0200
commitdc7aa22b18b710aaa837c9466e9a77241f909c8a (patch)
treea5a8b43accc8e24cc13f92b4ac461423e53dc0af
parent38f1288b6427fc9e2fa2b5ad9912745ded923ee7 (diff)
downloadphp-git-dc7aa22b18b710aaa837c9466e9a77241f909c8a.tar.gz
Fix bug #78326
Similar to what fread() does, truncate the stream_get_contents() result if the original buffer was way too large.
-rw-r--r--NEWS2
-rw-r--r--ext/standard/tests/streams/bug78326.phpt18
-rw-r--r--ext/standard/tests/streams/bug78326_1.phpt10
-rw-r--r--main/streams/streams.c7
4 files changed, 36 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index d76ee3c55a..d8181a7028 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,8 @@ PHP NEWS
- Standard:
. Fixed bug #69100 (Bus error from stream_copy_to_stream (file -> SSL stream)
with invalid length). (Nikita)
+ . Fixed bug #78326 (improper memory deallocation on stream_get_contents()
+ with fixed length buffer). (Albert Casademont)
01 Aug 2019, PHP 7.2.21
diff --git a/ext/standard/tests/streams/bug78326.phpt b/ext/standard/tests/streams/bug78326.phpt
new file mode 100644
index 0000000000..ca27b05f62
--- /dev/null
+++ b/ext/standard/tests/streams/bug78326.phpt
@@ -0,0 +1,18 @@
+--TEST--
+memory allocation on stream_get_contents()
+--INI--
+memory_limit=32M
+--FILE--
+<?php
+$f = tmpfile();
+fwrite($f, '.');
+
+$chunks = array();
+for ($i = 0; $i < 1000; ++$i) {
+ rewind($f);
+ $chunks[] = stream_get_contents($f, 1000000);
+}
+var_dump(count($chunks));
+?>
+--EXPECT--
+int(1000)
diff --git a/ext/standard/tests/streams/bug78326_1.phpt b/ext/standard/tests/streams/bug78326_1.phpt
new file mode 100644
index 0000000000..8e3489db53
--- /dev/null
+++ b/ext/standard/tests/streams/bug78326_1.phpt
@@ -0,0 +1,10 @@
+--TEST--
+proper string length on stream_get_contents()
+--FILE--
+<?php
+$f = fopen('php://memory', 'rw');
+fwrite($f, str_repeat('X', 1000));
+fseek($f, 0);
+var_dump(strlen(stream_get_contents($f, 1024)));
+--EXPECT--
+int(1000)
diff --git a/main/streams/streams.c b/main/streams/streams.c
index 9daae57433..399ec29810 100644
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -1418,8 +1418,13 @@ PHPAPI zend_string *_php_stream_copy_to_mem(php_stream *src, size_t maxlen, int
ptr += ret;
}
if (len) {
- *ptr = '\0';
ZSTR_LEN(result) = len;
+ ZSTR_VAL(result)[len] = '\0';
+
+ /* Only truncate if the savings are large enough */
+ if (len < maxlen / 2) {
+ result = zend_string_truncate(result, len, persistent);
+ }
} else {
zend_string_free(result);
result = NULL;