php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #21523 number_format causes call to emalloc for a negative amount of memory
Submitted: 2003-01-08 13:05 UTC Modified: 2003-01-09 09:48 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: cteubner at ncw-av dot com Assigned: wez
Status: Closed Package: Strings related
PHP Version: 4.3.0 OS: Windows 2000
Private report: No CVE-ID:
 [2003-01-08 13:05 UTC] cteubner at ncw-av dot com
When the following line is run:

echo number_format(2, 2678);

The following error appears in the Apache error log:

FATAL:  emalloc():  Unable to allocate -1112 bytes

-259 and -123 have also appeared.
Clearly I accidentally used number_format in the reverse
direction that I meant to.  However, it seems like whatever is requesting memory for number_format is experiencing integer overflow.  That doesn't seem right.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-09 06:36 UTC] wez@php.net
sprintf under win32 can crash when the format width is too large.
Changing the emalloc + sprintf to spprintf highlights a problem in our spprintf implementation; it only returns a string of 80 chars.
This length causes the reslen calculation to produce a negative number and thus emalloc to fail.
 [2003-01-09 09:48 UTC] wez@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 [2004-07-19 17:05 UTC] edreddy at gmail dot com
when I used the function number_format(-2000, 2768) in php script and invoke that script using cli php (in version 5.3.8), php interpreter is getting into infinite loop of modf() and memmov() functions. It is working fine if I use the the second argument of number_format() function is less than 305. Platform  is RedHat Enterprise Linux Advanced Server3.0
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 07:02:14 2014 UTC