Jump to content

Obsolete:PHP 4.4.x heap corruption

From Wikitech
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
This page contains historical information. It may be outdated or unreliable.

Segfault on exit in PHP 4.4.x. Object version: 

<?php
class C { var $m1, $m2, $m3, $m4, $m5, $m6; }
ini_set( 'memory_limit', -1 );
$a = array();
for ( $i=0; $i<100000; $i++) $a[] = new C;
?>

Array version: 

<?php
$t = array( 'm1' => null, 'm2' => null, 'm3' => null, 'm5' => null, 'm6' => null );
ini_set( 'memory_limit', -1 );
$a = array();
for ( $i=0; $i<100000; $i++) $a[] = $t;
debug_zval_dump($t);
?>

Returns: 

array(5) refcount(34466){
  ["m1"]=>
  NULL refcount(1)
  ["m2"]=>
  NULL refcount(1)
  ["m3"]=>
  NULL refcount(1)
  ["m5"]=>
  NULL refcount(1)
  ["m6"]=>
  NULL refcount(1)
}
Segmentation fault

With smaller array sizes, the reference count is correct and there is no segfault.

This is due to an unsigned short being used for a reference count in PHP 4. It was changed to an unsigned int in PHP 5.

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Obsolete:PHP_4.4.x_heap_corruption&oldid=75110"