php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70239 Creating a huge array doesn't result in exhausted, but segfault
Submitted: 2015-08-11 12:25 UTC Modified: 2015-08-11 14:32 UTC
From: sjon at hortensius dot net Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0beta3 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sjon at hortensius dot net
New email:
PHP Version: OS:

 

 [2015-08-11 12:25 UTC] sjon at hortensius dot net
Description:
------------
This only started happening in php-7, before that it would work better

Test script:
---------------
from http://3v4l.org/ToUVn

<?php
range(0, pow(2.0, 100000000));

Expected result:
----------------
Fatal error: Allowed memory size of xxx bytes exhausted (tried to allocate 32 bytes) in /in/ToUVn on line 2
Process exited with code 255.

Actual result:
--------------
Process exited with code 139.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-11 13:30 UTC] laruence@php.net
a fix could be:
$ git diff
diff --git a/ext/standard/array.c b/ext/standard/array.c
index 7ef9d73..8745149 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1739,6 +1739,11 @@ double_str:
 		high = zval_get_double(zhigh);
 		i = 0;

+		if (zend_isinf(high) || zend_isinf(low)) {
+			php_error_docref(NULL, E_WARNING, "Range is too big");
+			RETURN_FALSE;
+		}
+
 		Z_TYPE_INFO(tmp) = IS_DOUBLE;
 		if (low > high) { 		/* Negative steps */
 			if (low - high < step || step <= 0) {

but I am not sure what the proper error message should be?
 [2015-08-11 13:35 UTC] sjon at hortensius dot net
I don't know what is considered *infinite* in php, but the same thing happens with large numbers like PHP_INT_MAX/2, see http://3v4l.org/BSYs8
 [2015-08-11 14:06 UTC] laruence@php.net
hmm, actually, this is the same as the previously one. (uint32)((double)(very big value)) result in zero...
 [2015-08-11 14:06 UTC] laruence@php.net
-Status: Open +Status: Analyzed
 [2015-08-11 14:32 UTC] ab@php.net
-Assigned To: +Assigned To: ab
 [2015-08-14 12:35 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=01ee09f3f70284183679d403d2a2ae1928689573
Log: Fixed bug #70239 Creating a huge array doesn't result in exhausted, but segfault
 [2015-08-14 12:35 UTC] ab@php.net
-Status: Analyzed +Status: Closed
 [2015-08-18 16:24 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=01ee09f3f70284183679d403d2a2ae1928689573
Log: Fixed bug #70239 Creating a huge array doesn't result in exhausted, but segfault
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=01ee09f3f70284183679d403d2a2ae1928689573
Log: Fixed bug #70239 Creating a huge array doesn't result in exhausted, but segfault
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC