Memory out of bound error #169
Comments
adamziel
added
[Type] Bug
|
Thank you for reporting! This is a legitimate bug. The message talks about memory, but luckily it’s unrelated to actual memory consumption. You’re not running out of memory. Rather, PHP is trying to read something from the wrong memory region. It should be a relatively easy fix, I'll look into that. |
|
Thanks @adamziel for the quick response. Looking forward for the fix as i'm willing to use it into my project. |
|
Update: Here's an unminified stacktrace: |
|
Something's wrong with the way POST body is read. Presumably memcpy writes to/from a region it's not supposed to: #if PHP_MAJOR_VERSION == 5
static int wasm_sapi_read_post_body(char *buffer, uint count_bytes)
#else
static size_t wasm_sapi_read_post_body(char *buffer, size_t count_bytes)
#endif
{
if (wasm_server_context == NULL || wasm_server_context->request_body == NULL)
{
return 0;
}
count_bytes = MIN(count_bytes, SG(request_info).content_length - SG(read_post_bytes));
if(count_bytes > 0) {
memcpy(buffer + SG(read_post_bytes), wasm_server_context->request_body + SG(read_post_bytes), count_bytes);
}
return count_bytes;
} |
|
Note to myself: compare that logic to php-fpm SAPI https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c |
|
Php-fcgi has interesting safeguards in place: static size_t sapi_fcgi_read_post(char *buffer, size_t count_bytes)
{
size_t read_bytes = 0;
int tmp_read_bytes;
fcgi_request *request = (fcgi_request*) SG(server_context);
size_t remaining = SG(request_info).content_length - SG(read_post_bytes);
if (remaining < count_bytes) {
count_bytes = remaining;
}
while (read_bytes < count_bytes) {
size_t diff = count_bytes - read_bytes;
int to_read = (diff > INT_MAX) ? INT_MAX : (int)diff;
tmp_read_bytes = fcgi_read(request, buffer + read_bytes, to_read);
if (tmp_read_bytes <= 0) {
break;
}
read_bytes += tmp_read_bytes;
}
return read_bytes;
} |
|
Hypothesis: if POST body exceeds SAPI_POST_BLOCK_SIZE, or about 16k bytes, the POST-reading loop runs for the second time - which is what trigger the error. If so, this is probably the buffer is of the |
|
That was it! I'm rebuilding PHP and will ship a fix shortly. |
|
Fix shipped in 2e950a2 I still need to deploy the updated version to wasm.wordpress.net, but this issue may be closed. @ZafarKamal123 can you confirm this worked? If not, I'm happy to reopen. |
|
Thanks for the quick support man! I'll check this and get back to you. |
|
It’s now deployed to wasm.wordpress.net! The editor is still experiencing a few issues due to #174, but not this one. |
…API_POST_BLOCK_SIZE Fixes #169 If POST body exceeds SAPI_POST_BLOCK_SIZE, or about 16k bytes, the POST-reading loop runs for the second time - which is what trigger the error. If so, this is probably the buffer is of the SAPI_POST_BLOCK_SIZE size and is reset every time. However, the post reader assumes it must memcpy to buffer + SG(read_post_bytes) which not only leaves the buffer empty but also corrupts the memory region after if. This PR writes to the buffer directly instead of moving the pointer by SG(read_post_bytes)
The following memory access error occurs on the official playground of WordPress WASM when trying to publish a page with a lot of content (not really a lot):
Steps to Reproduce
Expected Behaviour
It should publish the page successfully.
The text was updated successfully, but these errors were encountered: