diff options
author | Albert Casademont <albertcasademont@gmail.com> | 2019-07-23 14:03:06 +0200 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-07-29 17:33:57 +0200 |
commit | dc7aa22b18b710aaa837c9466e9a77241f909c8a (patch) | |
tree | a5a8b43accc8e24cc13f92b4ac461423e53dc0af | |
parent | 38f1288b6427fc9e2fa2b5ad9912745ded923ee7 (diff) | |
download | php-git-dc7aa22b18b710aaa837c9466e9a77241f909c8a.tar.gz |
Fix bug #78326
Similar to what fread() does, truncate the stream_get_contents()
result if the original buffer was way too large.
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/standard/tests/streams/bug78326.phpt | 18 | ||||
-rw-r--r-- | ext/standard/tests/streams/bug78326_1.phpt | 10 | ||||
-rw-r--r-- | main/streams/streams.c | 7 |
4 files changed, 36 insertions, 1 deletions
@@ -20,6 +20,8 @@ PHP NEWS - Standard: . Fixed bug #69100 (Bus error from stream_copy_to_stream (file -> SSL stream) with invalid length). (Nikita) + . Fixed bug #78326 (improper memory deallocation on stream_get_contents() + with fixed length buffer). (Albert Casademont) 01 Aug 2019, PHP 7.2.21 diff --git a/ext/standard/tests/streams/bug78326.phpt b/ext/standard/tests/streams/bug78326.phpt new file mode 100644 index 0000000000..ca27b05f62 --- /dev/null +++ b/ext/standard/tests/streams/bug78326.phpt @@ -0,0 +1,18 @@ +--TEST-- +memory allocation on stream_get_contents() +--INI-- +memory_limit=32M +--FILE-- +<?php +$f = tmpfile(); +fwrite($f, '.'); + +$chunks = array(); +for ($i = 0; $i < 1000; ++$i) { + rewind($f); + $chunks[] = stream_get_contents($f, 1000000); +} +var_dump(count($chunks)); +?> +--EXPECT-- +int(1000) diff --git a/ext/standard/tests/streams/bug78326_1.phpt b/ext/standard/tests/streams/bug78326_1.phpt new file mode 100644 index 0000000000..8e3489db53 --- /dev/null +++ b/ext/standard/tests/streams/bug78326_1.phpt @@ -0,0 +1,10 @@ +--TEST-- +proper string length on stream_get_contents() +--FILE-- +<?php +$f = fopen('php://memory', 'rw'); +fwrite($f, str_repeat('X', 1000)); +fseek($f, 0); +var_dump(strlen(stream_get_contents($f, 1024))); +--EXPECT-- +int(1000) diff --git a/main/streams/streams.c b/main/streams/streams.c index 9daae57433..399ec29810 100644 --- a/main/streams/streams.c +++ b/main/streams/streams.c @@ -1418,8 +1418,13 @@ PHPAPI zend_string *_php_stream_copy_to_mem(php_stream *src, size_t maxlen, int ptr += ret; } if (len) { - *ptr = '\0'; ZSTR_LEN(result) = len; + ZSTR_VAL(result)[len] = '\0'; + + /* Only truncate if the savings are large enough */ + if (len < maxlen / 2) { + result = zend_string_truncate(result, len, persistent); + } } else { zend_string_free(result); result = NULL; |