Skip to content

Possible memory leak in php_msgpack_unserialize #176

@michael-grunder

Description

@michael-grunder

Hi 👋,

I came across a possible memory leak in msgpack

I can reproduce the leak in php 8.2 and 8.3 and in msgpack 2.2.0, 3.0.0, and master.

<?php
$data = hex2bin('89716235369266a1b030656238313037383332393464363764');
$unserialized = msgpack_unserialize($data);
// var_dump($unserialized);

Output:

❯ sapi/cli/php msgpack-reproducer.php

Warning: [msgpack] (msgpack_unserialize_map_item) illegal key type in /home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php on line 5

Warning: Array to string conversion in /home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php on line 5

Warning: [msgpack] (php_msgpack_unserialize) Extra bytes in /home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php on line 5
[Thu Oct  3 10:31:36 2024]  Script:  '/home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php'
/home/mike/dev/phpfarm/src/php-8.3.11-debug/Zend/zend_string.h(174) :  Freeing 0x0000749bd1203c40 (32 bytes), script=/home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php
[Thu Oct  3 10:31:36 2024]  Script:  '/home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php'
/home/mike/dev/phpfarm/src/php-8.3.11-debug/Zend/zend_hash.c(291) :  Freeing 0x0000749bd125db40 (56 bytes), script=/home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php
[Thu Oct  3 10:31:36 2024]  Script:  '/home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php'
/home/mike/dev/phpfarm/src/php-8.3.11-debug/Zend/zend_hash.c(157) :  Freeing 0x0000749bd1261180 (136 bytes), script=/home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php
=== Total 3 memory leaks detected ===

Valgrind has more info:

$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php --leak-check=full msgpack-reproducer.php
=620239== Command: sapi/cli/php msgpack-reproducer.php
==620239==

Warning: [msgpack] (msgpack_unserialize_map_item) illegal key type in /home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php on line 5

Warning: Array to string conversion in /home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php on line 5

Warning: [msgpack] (php_msgpack_unserialize) Extra bytes in /home/mike/dev/phpfarm/src/php-8.3.11-debug/msgpack-reproducer.php on line 5
==620239==
==620239== HEAP SUMMARY:
==620239==     in use at exit: 224 bytes in 3 blocks
==620239==   total heap usage: 31,171 allocs, 31,167 frees, 21,577,011 bytes allocated
==620239==
==620239== 224 (56 direct, 168 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 3
==620239==    at 0x484977B: malloc (vg_replace_malloc.c:446)
==620239==    by 0xD9BD5B: __zend_malloc (zend_alloc.c:3128)
==620239==    by 0xD9A9B0: _malloc_custom (zend_alloc.c:2491)
==620239==    by 0xD9AAEE: _emalloc (zend_alloc.c:2610)
==620239==    by 0xDED989: _zend_new_array (zend_hash.c:291)
==620239==    by 0x8CA788: msgpack_unserialize_array (msgpack_unpack.c:550)
==620239==    by 0x8C39BA: msgpack_unserialize_execute (unpack_template.h:231)
==620239==    by 0x8C4B9D: php_msgpack_unserialize (msgpack.c:252)
==620239==    by 0x8C4F2D: zif_msgpack_unserialize (msgpack.c:318)
==620239==    by 0xE18118: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1337)
==620239==    by 0xE8DBD3: execute_ex (zend_vm_execute.h:57216)
==620239==    by 0xE92419: zend_execute (zend_vm_execute.h:61604)
==620239==
==620239== LEAK SUMMARY:
==620239==    definitely lost: 56 bytes in 1 blocks
==620239==    indirectly lost: 168 bytes in 2 blocks
==620239==      possibly lost: 0 bytes in 0 blocks
==620239==    still reachable: 0 bytes in 0 blocks
==620239==         suppressed: 0 bytes in 0 blocks

Version info:

PHP 8.3.11 (cli) (built: Sep 15 2024 18:27:47) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.3.11, Copyright (c) Zend Technologies

msgpack

MessagePack Support => enabled
Session Support => enabled
MessagePack APCu Serializer ABI => no
extension Version => 3.0.0
header Version => 3.2.0

Directive => Local Value => Master Value
msgpack.error_display => On => On
msgpack.php_only => On => On
msgpack.assoc => On => On
msgpack.illegal_key_insert => Off => Off
msgpack.use_str8_serialization => On => On

Let me know if you need any more information. I might try and track it down but I'm not very familiar with the internal working of the library 😄

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions