php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51105 PHP str_repeat() Function Integer Overflow
Submitted: 2010-02-21 14:44 UTC Modified: 2010-10-16 00:31 UTC
Votes:9
Avg. Score:3.8 ± 1.6
Reproduced:2 of 4 (50.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: r3d dot w0rm at yahoo dot com Assigned:
Status: Not a bug Package: Strings related
PHP Version: 5.3.2RC2 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: r3d dot w0rm at yahoo dot com
New email:
PHP Version: OS:

 

 [2010-02-21 14:44 UTC] r3d dot w0rm at yahoo dot com 
Description:
------------
PHP str_repeat() Function Integer Overflow

AUTHOR : Sina Yazdanmehr(R3d.W0rm)

Discovered by : Sina Yazdanmehr (R3d.W0rm)

Our Site : http://IrCrash.com

Our Forums : http://ircrash.com/persian/

My Official WebSite : http://R3dW0rm.ir

IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr)

Reproduce code:
---------------
<?php
//www.IrCrash.com
//By : R3d.W0rm
$str1 = str_repeat('0x0x0x0x',999999999);
$str2 = str_repeat($str,1);
?>  

Expected result:
----------------
Fatal error: Possible integer overflow in memory allocation (8 * 999999999 + 1) in F:\Program Files\EasyPHP-5.3.1\www\over.php on line 4


Fatal error: Possible integer overflow in memory allocation (8 * 999999999 + 1) in /var/www/html/over.php on line 4

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-21 15:14 UTC] pajoye@php.net 
Which processor and OS do you use? I get the expected fatal error here.
 [2010-02-21 16:33 UTC] r3d dot w0rm at yahoo dot com 
Os : win Xp Sp 2 , Fedora 11
Cpu : 2.2
 [2010-02-21 17:26 UTC] pajoye@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
 [2010-03-01 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2010-07-16 01:41 UTC] php at crummett dot us 
PHP says you do not have enough memory to do this. The string generated would be 8GiB in size.

Also, this can be simplified as:

Reproduce code:
---------------
<?php
str_repeat('0x0x0x0x',999999999);

Actual result:
---------------
Fatal error: Possible integer overflow in memory allocation (8 * 999999999 + 1) in crash.php  on line 2
 [2010-10-16 00:31 UTC] felipe@php.net
-Status: No Feedback +Status: Bogus
 [2010-10-16 00:31 UTC] felipe@php.net 
I cannot reproduce this. (probably already fixed)
 [2011-11-22 05:35 UTC] firexware at gmail dot com 
The problem was not reproducible because you were using 64-bit php which uses 64-bit signed integers.

Try this:

<?php
$str1 = str_repeat('0x0x0x0x', 18446744073709551615);
echo "all good so far...\n";
$str2 = str_repeat('0x0x0x0x', 2305843009213693952);
?>

18446744073709551615 is 2^64 - 1, which is -1 in two's compliment.
2305843009213693952 is 2^61

Output:

all good so far...
PHP Fatal error:  Possible integer overflow in memory allocation (8 * 2305843009213693952 + 1) in /tmp/test.php on line 4

Expected output:

PHP Fatal error:  Possible integer overflow in memory allocation (8 * 18446744073709551615 + 1) in /tmp/test.php on line 2
all good so far...
PHP Fatal error:  Possible integer overflow in memory allocation (8 * 2305843009213693952 + 1) in /tmp/test.php on line 4
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Apr 03 23:01:31 2025 UTC