php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #26584 Class member - array key overflow
Submitted: 2003-12-10 10:04 UTC Modified: 2005-10-11 17:58 UTC
Votes:5
Avg. Score:4.0 ± 1.5
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:2 (40.0%)
From: sean@php.net Assigned: dmitry (profile)
Status: Wont fix Package: Scripting Engine problem
PHP Version: 5CVS, 4CVS (2005-06-19) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2003-12-10 10:04 UTC] sean@php.net 
Description:
------------
See attached code.

It seems that when assigning arrays in a class definition, it's possible to overflow the array key, without any sort of warning/notice/etc.

This only happens in a class def, and not to a "global" namespace array.

It's odd that the same code isn't used for both regular array constructs, and object array constructs (Zend Engine).

ZE2 may fix this problem. Has not been tested.

The logical overflow threshold is between 2147483647 and 2147483648 (where 2147483648 is a 32bit (singed) integer value of -0, if I'm not mistaken -- or 0x80000000).

Note: this affects more than just negative keys as seen in code:VAL3.

I don't have time to jump into the php source right now (nor am I truly qualified to do so).

Please let me know if/when you need additional details.

S
(sean@php.net)


Reproduce code:
---------------
http://sean.caedmon.net/php/class_array_bug.phps
(http://sean.caedmon.net/php/class_array_bug.php)


Expected result:
----------------
(see code)

Actual result:
--------------
(see code)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-25 15:41 UTC] sniper@php.net 
Leaks too:

php5/Zend/zend_compile.c(3005) :  Freeing 0x082268CC (16 bytes)
php5/Zend/zend_language_scanner.l(1607) :  Freeing 0x08226894 (5 bytes)

php_4_3/Zend/zend_compile.c(1872) :  Freeing 0x086549D4 (12 bytes)
php_4_3/Zend/zend_language_scanner.l(1531) :  Freeing 0x0865499C (5 bytes)
 [2005-06-19 21:22 UTC] sniper@php.net 
See also bug #28972
Still fails and leaks.
 [2005-06-24 13:51 UTC] dmitry@php.net 
The bug is partially fixed in CVS HEAD, PHP_5_0 and PHP_4_4.
Integer overflow problem is not solved, but now constant arrays can use null, boolean and double indecies.
 [2005-10-11 17:58 UTC] iliaa@php.net 
PHP does not handle integer overflows.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Apr 28 19:01:28 2024 UTC