|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #21523 number_format causes call to emalloc for a negative amount of memory
Submitted: 2003-01-08 13:05 UTC Modified: 2003-01-09 09:48 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: cteubner at ncw-av dot com Assigned: wez (profile)
Status: Closed Package: Strings related
PHP Version: 4.3.0 OS: Windows 2000
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: cteubner at ncw-av dot com
New email:
PHP Version: OS:


 [2003-01-08 13:05 UTC] cteubner at ncw-av dot com
When the following line is run:

echo number_format(2, 2678);

The following error appears in the Apache error log:

FATAL:  emalloc():  Unable to allocate -1112 bytes

-259 and -123 have also appeared.
Clearly I accidentally used number_format in the reverse
direction that I meant to.  However, it seems like whatever is requesting memory for number_format is experiencing integer overflow.  That doesn't seem right.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-09 06:36 UTC]
sprintf under win32 can crash when the format width is too large.
Changing the emalloc + sprintf to spprintf highlights a problem in our spprintf implementation; it only returns a string of 80 chars.
This length causes the reslen calculation to produce a negative number and thus emalloc to fail.
 [2003-01-09 09:48 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

 [2004-07-19 17:05 UTC] edreddy at gmail dot com
when I used the function number_format(-2000, 2768) in php script and invoke that script using cli php (in version 5.3.8), php interpreter is getting into infinite loop of modf() and memmov() functions. It is working fine if I use the the second argument of number_format() function is less than 305. Platform  is RedHat Enterprise Linux Advanced Server3.0
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Dec 02 15:05:52 2022 UTC