Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:21441 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67097 invoked by uid 1010); 7 Jan 2006 05:00:46 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 67080 invoked from network); 7 Jan 2006 05:00:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Jan 2006 05:00:45 -0000 Received: from ([127.0.0.1:24903]) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with ECSTREAM id 78/1B-06465-DFA4FB34 for ; Sat, 07 Jan 2006 00:00:45 -0500 X-Host-Fingerprint: 202.63.61.242 cust3058.vic01.dataco.com.au Received: from ([202.63.61.242:21081] helo=localhost.localdomain) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id 31/AA-06465-0C74FB34 for ; Fri, 06 Jan 2006 23:46:56 -0500 Message-ID: <31.AA.06465.0C74FB34@pb1.pair.com> To: internals@lists.php.net Date: Sat, 07 Jan 2006 15:47:27 +1100 User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Posted-By: 202.63.61.242 Subject: 16-bit reference count in PHP 4's zval From: t.starling@physics.unimelb.edu.au (Tim Starling) I've had some trouble with large arrays in my PHP programs causing corruption of the heap. I tracked the problem back to PHP 4's 16-bit reference count. If you have more than 64K references to a given zval, the counter will overflow, then when the references are freed, the object will be double-freed, causing a segfault. Dangling references are also possible, allowing reading and writing of subsequently allocated blocks. No doubt the PHP dev team are aware of this already, since it was fixed in PHP 5, by using a 32-bit type instead. My question is: is there any intention to backport this simple but important bugfix to PHP 4? Many PHP users are still using PHP 4, and it's not a very well advertised fact that it does not properly support arrays with more than 64K entries. -- Tim Starling