PHP :: Bug #70239 :: Creating a huge array doesn't result in exhausted, but segfault

Bug #70239	Creating a huge array doesn't result in exhausted, but segfault
Submitted:	2015-08-11 12:25 UTC	Modified:	2015-08-11 14:32 UTC
From:	sjon at hortensius dot net	Assigned:	ab (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0.0beta3	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	sjon at hortensius dot net
New email:
PHP Version:		OS:

New Comment:

[2015-08-11 12:25 UTC] sjon at hortensius dot net

Description:
------------
This only started happening in php-7, before that it would work better

Test script:
---------------
from http://3v4l.org/ToUVn

<?php
range(0, pow(2.0, 100000000));

Expected result:
----------------
Fatal error: Allowed memory size of xxx bytes exhausted (tried to allocate 32 bytes) in /in/ToUVn on line 2
Process exited with code 255.

Actual result:
--------------
Process exited with code 139.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-08-11 13:30 UTC] laruence@php.net

a fix could be:
$ git diff
diff --git a/ext/standard/array.c b/ext/standard/array.c
index 7ef9d73..8745149 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1739,6 +1739,11 @@ double_str:
 		high = zval_get_double(zhigh);
 		i = 0;

+		if (zend_isinf(high) || zend_isinf(low)) {
+			php_error_docref(NULL, E_WARNING, "Range is too big");
+			RETURN_FALSE;
+		}
+
 		Z_TYPE_INFO(tmp) = IS_DOUBLE;
 		if (low > high) { 		/* Negative steps */
 			if (low - high < step || step <= 0) {

but I am not sure what the proper error message should be?

[2015-08-11 13:35 UTC] sjon at hortensius dot net

I don't know what is considered *infinite* in php, but the same thing happens with large numbers like PHP_INT_MAX/2, see http://3v4l.org/BSYs8

[2015-08-11 14:06 UTC] laruence@php.net

hmm, actually, this is the same as the previously one. (uint32)((double)(very big value)) result in zero...

[2015-08-11 14:06 UTC] laruence@php.net

-Status: Open +Status: Analyzed

[2015-08-11 14:32 UTC] ab@php.net

-Assigned To: +Assigned To: ab

[2015-08-14 12:35 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=01ee09f3f70284183679d403d2a2ae1928689573
Log: Fixed bug #70239 Creating a huge array doesn't result in exhausted, but segfault

[2015-08-14 12:35 UTC] ab@php.net

-Status: Analyzed +Status: Closed

[2015-08-18 16:24 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=01ee09f3f70284183679d403d2a2ae1928689573
Log: Fixed bug #70239 Creating a huge array doesn't result in exhausted, but segfault

[2016-07-20 11:37 UTC] davey@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=01ee09f3f70284183679d403d2a2ae1928689573
Log: Fixed bug #70239 Creating a huge array doesn't result in exhausted, but segfault

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC