php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51397 Math calculation bug
Submitted: 2010-03-26 08:20 UTC Modified: 2010-06-08 14:38 UTC
Votes:5
Avg. Score:4.6 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:1 (33.3%)
From: emanuel dot dejanu at humaninfo dot ro Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.2.13 OS: FREEBSD & LINUX
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: emanuel dot dejanu at humaninfo dot ro
New email:
PHP Version: OS:

 

 [2010-03-26 08:20 UTC] emanuel dot dejanu at humaninfo dot ro 
Description:
------------

I have used the code from the test script on my development machine (Windows Professional 7 32bit) with php 5.2.12 and is working correctly but when I have deployed on my production machine that is FreeBSD 6.3 32bit with the same php version 5.2.12 is giving wrong results (-2147483593). I also run this on other production machine that is RedHat 5 32bit with php 5.2.6 and is also giving wrong results (-2147483593).

I can not test with php 5.2.13 on production machines (virtual hosting).
On windows is giving the correctly result (754303898) with PHP 5.2.12 and PHP 5.3.1. I am running in 32bit platform on all machines.

-------------------------------------------------------------------

PHP_INT_SIZE: 4

System => FreeBSD somehost.com 6.3-RELEASE FreeBSD 6.3-RELEASE #6: Wed Oc
t 21 09:32:42 MDT 2009     root@fc:/usr/src/sys/i386/compile/VKERN i386
Build Date => Mar  3 2010 12:51:00
Configure Command =>  './configure'  '--with-layout=GNU' '--with-config-file-sca
n-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--with-libxml-dir=/
usr/local' '--enable-reflection' '--program-prefix=' '--enable-fastcgi' '--with-
apxs2=/usr/local/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--prefix=/
usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-
portbld-freebsd6.3'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/etc
Loaded Configuration File => /usr/local/etc/php.ini
Scan this dir for additional .ini files => /usr/local/etc/php
additional .ini files parsed => /usr/local/etc/php/extensions.ini

PHP API => 20041225
PHP Extension => 20060613
Zend Extension => 220060519
Debug Build => no



Test script:
---------------
function myhash($key) {
        $h = 5381;
        $l = strlen($key);
        for($i = 0; $i < $l; ++$i) {
            $h = (($h << 5) + $h) ^ ord($key[$i]);
        }
        return $h;
}
$h = myhash('CL6.1.7');
if ($h != 754303898)
        echo "bug\n";
echo $h . "\n";


Expected result:
----------------
754303898


Actual result:
--------------
bug
-2147483593

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-26 11:56 UTC] fa@php.net
-Status: Open +Status: Verified
 [2010-03-26 11:56 UTC] fa@php.net 
Verified with 5.2.13 on Debian (default configure)

Verified in the Debian 5.2.6+lenny4 PHP (just for completeness)

Correct result with 5.3.2 on Gentoo
 [2010-04-22 21:54 UTC] whatrevolution at yahoo dot com 
My answer to myhash('CL6.1.7'): 229416432419738

PHP Version 5.2.10-2ubuntu6.4

System 	Linux 2.6.31-20-generic x86_64
Build Date 	Jan 6 2010 22:36:47
Server API 	Apache 2.0 Handler 
PHP API 	20041225
PHP Extension 	20060613
Zend Extension 	220060519
Debug Build 	no
Thread Safety 	disabled
Zend Memory Manager 	enabled 

Apache/2.2.12 (Ubuntu)
 [2010-04-25 12:29 UTC] cimodev at me dot com 
My Result on OpenSuse 11.0 - 64bit with PHP 5.3.2:
229416432419738

-----

On Debian 64bit:

PHP 5.3.2-0.dotdeb.1 with Suhosin-Patch (cli) (built: Mar  9 2010 11:42:01)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH

229416432419738

Maybe this bug occurres primarily on 32bit systems... I have none here for testing
 [2010-04-25 12:46 UTC] pajoye@php.net 
It looks to me that this code has an integer overflow at some point. I would suggest to use ext/hash if you need reliable hashes or add integer overflow checks in your code.

This behavior can't be seen on windows. On this platform the long type has the same size, no matter the architecture (32bit on both x64 and x86).
 [2010-06-08 14:38 UTC] tony2001@php.net
-Status: Verified +Status: Bogus
 [2010-06-08 14:38 UTC] tony2001@php.net 
>It looks to me that this code has an integer overflow at some point
Yep.
And it's easy to see where exactly it overflows:
Add var_dump($h); at the end of for() loop, you'll see it yourself:
int(177638)
int(5862122)
int(193450012)
int(2088883122)
int(213666243)
int(-1538948595)
int(754303898)
int(754303898)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 12:01:33 2025 UTC