Skip to content

Commit 7cbbb3a

Browse files
pvandommelenpvandommelen
committed
Fix #81070: Integer underflow when memory limit is exceeded
When the memory limit is reduced using an `ini_set("memory_limit", ..)` below the currently allocated memory. Further allocations should cause a memory limit exceeded error. This fixes the regression introduced in 7.2.23
1 parent 98c8ad9 commit 7cbbb3a

File tree

2 files changed

+15
-5
lines changed

2 files changed

+15
-5
lines changed

Zend/tests/bug81070.phpt

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
--TEST--
2+
Bug #81070 Integer underflow in memory limit comparison
3+
--FILE--
4+
<?php
5+
$a = str_repeat("0", 5 * 1024 * 1024);
6+
ini_set("memory_limit", "3M");
7+
$b = str_repeat("0", 5 * 1024 * 1024);
8+
?>
9+
--EXPECTF--
10+
Fatal error: Allowed memory size of 3145728 bytes exhausted at %s (tried to allocate %d bytes) in %s on line %d

Zend/zend_alloc.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -982,7 +982,7 @@ static void *zend_mm_alloc_pages(zend_mm_heap *heap, uint32_t pages_count ZEND_F
982982
heap->cached_chunks = chunk->next;
983983
} else {
984984
#if ZEND_MM_LIMIT
985-
if (UNEXPECTED(ZEND_MM_CHUNK_SIZE > heap->limit - heap->real_size)) {
985+
if (UNEXPECTED(heap->limit < heap->real_size || ZEND_MM_CHUNK_SIZE > heap->limit - heap->real_size)) {
986986
if (zend_mm_gc(heap)) {
987987
goto get_chunk;
988988
} else if (heap->overflow == 0) {
@@ -1510,8 +1510,8 @@ static zend_never_inline void *zend_mm_realloc_huge(zend_mm_heap *heap, void *pt
15101510
}
15111511
} else /* if (new_size > old_size) */ {
15121512
#if ZEND_MM_LIMIT
1513-
if (UNEXPECTED(new_size - old_size > heap->limit - heap->real_size)) {
1514-
if (zend_mm_gc(heap) && new_size - old_size <= heap->limit - heap->real_size) {
1513+
if (UNEXPECTED(heap->limit < heap->real_size || new_size - old_size > heap->limit - heap->real_size)) {
1514+
if (zend_mm_gc(heap) && heap->limit >= heap->real_size && new_size - old_size <= heap->limit - heap->real_size) {
15151515
/* pass */
15161516
} else if (heap->overflow == 0) {
15171517
#if ZEND_DEBUG
@@ -1804,8 +1804,8 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D
18041804
}
18051805

18061806
#if ZEND_MM_LIMIT
1807-
if (UNEXPECTED(new_size > heap->limit - heap->real_size)) {
1808-
if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) {
1807+
if (UNEXPECTED(heap->limit < heap->real_size || new_size > heap->limit - heap->real_size)) {
1808+
if (zend_mm_gc(heap) && heap->limit >= heap->real_size && new_size <= heap->limit - heap->real_size) {
18091809
/* pass */
18101810
} else if (heap->overflow == 0) {
18111811
#if ZEND_DEBUG

0 commit comments

Comments
 (0)