Skip to content

Out of int range in Zend/zend_strtod.c #15712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
YuanchengJiang opened this issue Sep 2, 2024 · 0 comments
Closed

Out of int range in Zend/zend_strtod.c #15712

YuanchengJiang opened this issue Sep 2, 2024 · 0 comments
Assignees
@devnexen
Labels
Bug Category: Engine Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
ini_set('precision', 1140973389);
echo "len=", strlen(strval(-1 * pow(2, -10))), "\n";
?>

Resulted in this output:

/php-src/Zend/zend_strtod.c:3617:5: runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/Zend/zend_strtod.c:3617:5

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04
@devnexen devnexen self-assigned this Sep 2, 2024
devnexen added a commit to devnexen/php-src that referenced this issue Sep 2, 2024
@devnexen
Fix phpGH-15712: overflow on float print with precision large value.
5c746c9 
When allocating enough room for floats, the allocator used by overflows with
large ndigits/EG(precision) value which used an signed integer to double
the buffer. Testing with the zend operator directly is enough to trigger
 the issue rather than higher level math interface.
devnexen added a commit to devnexen/php-src that referenced this issue Sep 2, 2024
@devnexen
Fix phpGH-15712: overflow on float print with precision ini large value.
89ddd96 
When allocating enough room for floats, the allocator used overflows with
large ndigits/EG(precision) value which used an signed integer to
increase the size of thebuffer.
Testing with the zend operator directly is enough to trigger
the issue rather than higher level math interface.
@devnexen devnexen linked a pull request Sep 5, 2024 that will close this issue
Fix GH-15712: overflow on float print with precision ini large value. #15715
Closed
devnexen added a commit to devnexen/php-src that referenced this issue Sep 16, 2024
@devnexen
Fix oss-fuzz report triggered by phpGH-15712 commit.
fce3d4f 
It triggered allocation overflow which, even fixed, in turn gives memory
leak on 32 bits but the allocator relies on signed integers so instead
of changing `j` type we exit if an overflow during the buffer increase
is going to happen.
devnexen added a commit that referenced this issue Nov 7, 2024
@devnexen
Fix oss-fuzz report triggered by GH-15712 commit.
e74e66e 
It triggered allocation overflow which, even fixed, in turn gives memory
leak on 32 bits but the allocator relies on signed integers.

close GH-15915
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devnexen devnexen

Labels
Bug Category: Engine Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-15712: overflow on float print with precision ini large value. devnexen/php-src
2 participants
@devnexen @YuanchengJiang