php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27678 number_format() crashes with large numbers.
Submitted: 2004-03-24 14:27 UTC Modified: 2005-12-26 15:49 UTC
Votes:4
Avg. Score:3.8 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:2 (50.0%)
From: morten_odegaard at broadpark dot no Assigned: helly (profile)
Status: Closed Package: Math related
PHP Version: 5CVS, 4CVS (2005-12-26) (cvs) OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: morten_odegaard at broadpark dot no
New email:
PHP Version: OS:

 

 [2004-03-24 14:27 UTC] morten_odegaard at broadpark dot no
Description:
------------
number_format() seems to be having problems with large numbers. I've found two different bugs, where one can segfault Apache.
They are tested on both 4.3.4 and 5.0RC1 on Linux, and 4.3.4 on Windows. Bugs happens in all of them.

--

Calling the function on numbers higher than (and including) 1e71, it will display a wrong result. Some numbers will have one 0 replaced with a 7, while some will be a digit too short, but be very close to the number it is supposed to show.

--

When calling number_format() on numbers bigger than (and including) 1e80, it will either return nothing or crash, depending on the 'decimals' parameter.

If 'decimals' is bigger then 0, then it will return nothing.

If 'decimals' is lower then 1, Apache will segfault.

Reproduce code:
---------------
$ php -r "echo number_format(1e71, 0, '', ' ');"
100 000 000 000 000 070 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000

$ php -r "echo number_format(1e72, 0, '', ' ');"
999 999 999 999 999 600 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000


$ php -r "echo number_format(1e80, 3, '', ' ');"
$ php -r "echo number_format(1e80, 0, '', ' ');"
Segmentation fault

Expected result:
----------------
100 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000

1 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000


10 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000.000

10 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000

Actual result:
--------------
Bug 1: Wrong numbers, as shown above.
Bug 2: Nothing or a segfault, as show above.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-12 23:52 UTC] sniper@php.net
(gdb) run -r "echo number_format(1e80, 3, '', ' ');"
Starting program: /www/php-modules/bin/php -r "echo number_format(1e80, 3, '', ' ');"
[New Thread 1087948032 (LWP 31942)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1087948032 (LWP 31942)]
0x4207c0ad in memmove () from /lib/tls/libc.so.6
(gdb) bt
#0  0x4207c0ad in memmove () from /lib/tls/libc.so.6
#1  0xbfffd8e8 in ?? ()
#2  0x08259347 in ap_php_cvt (arg=Cannot access memory at address 0xffffffef
) at /usr/src/web/php/php4/main/snprintf.c:294
Cannot access memory at address 0xffffffff

 [2005-03-30 10:58 UTC] kameshj at fastmail dot fm
Regarding the segfault,
In main/snprintf.c:ap_php_cvt has a call to memmove(&buf[mvl], &buf[0], NDIG-mvl-1); NDIG-mvl-1 becomes -1 in the mentioned defect of double being 1e80, decimals 3, dec_sep '' and thousand_sep ' '.
As I could see php recognizes a float as hight as 1e308, I feel NDIG should be set accordingly to higher value let us say 310 or 311.
 [2005-11-01 11:31 UTC] sniper@php.net
Marcus, can you check this out please?
 [2005-12-21 23:33 UTC] sniper@php.net
3rd reminder for Marcus: Check this out after Christmas 2005 but before New Year's eve 2005-2006 :)

 [2005-12-25 17:27 UTC] sniper@php.net
Marcus: It's after Christmas and before New Year's eve!
Fix this.
 [2005-12-26 15:49 UTC] helly@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Tue Jan 28 22:01:29 2025 UTC