php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66183 Converting large strings to floats
Submitted: 2013-11-27 14:17 UTC Modified: 2015-08-28 18:18 UTC
From: aatallah at stanford dot edu Assigned: nikic (profile)
Status: Closed Package: Strings related
PHP Version: Irrelevant OS: Mac OS X 10.9
Private report: No CVE-ID: 2013-4164
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: aatallah at stanford dot edu
New email:
PHP Version: OS:

 

 [2013-11-27 14:17 UTC] aatallah at stanford dot edu 
Description:
------------
I'm using PHP 5.4.17 (cli) (built: Aug 25 2013 02:03:38), the default shipped by Apple now.

See the test script. When a string-representation of a decimal is large enough, converting it to a float causes "Fatal error: Balloc() allocation exceeds list boundary in php shell code on line 1" and terminates the script. This is similar to Ruby's bug, publicized at https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/.

Ruby fixed this by avoiding the Bigint freelist in Balloc; perhaps PHP should do something better than having a hard cutoff for k in Balloc.

Test script:
---------------
echo floatval("1.".str_repeat("1", 300000));

Expected result:
----------------
1.1111111111111, which is the output of echo floatval("1.".str_repeat("1", 300));

Actual result:
--------------
Fatal error: Balloc() allocation exceeds list boundary in php shell code on line 1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-12 05:27 UTC] laruence@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2013-12-12 05:28 UTC] laruence@php.net
-CVE-ID: +CVE-ID: 2013-4164
 [2013-12-12 05:29 UTC] laruence@php.net
-Type: Security +Type: Bug
 [2013-12-12 05:29 UTC] laruence@php.net 
hmm, misunderstood, this is not a security bug for php
 [2015-08-28 18:18 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2015-08-28 18:18 UTC] nikic@php.net 
This has been fixed in PHP 7 as part of the strtod update.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jan 15 16:01:31 2025 UTC