Yesterday I released Suhosin 0.9.17 in response to a bug report by Ilia Alshanetsky and some crash problems with PHP 4 that were reported during the last weeks.

The problem found by Ilia is a trivial way to bypass the hard_memory_limit of Suhosin due to a bug in PHP. Suhosin unlike PHP allows the admin to set a unchangeable memory_limit for PHP scripts that is an upper limit for calls to ini_set("memory_limit", "xxx");

Unfortunately PHP contains a bug that it does not correctly handle negative memory_limits. Instead of not accepting them it silently casts them to an unsigned integer, which results in a memory_limit above 2 GB. Suhosin < 0.9.17 did not catch this bug and therefore allows bypassing the hard memory limit with a call like.

ini_set("memory_limit", "-10000");

The Hardened-PHP Project thanks Ilia for reporting this.