php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #26584 Class member - array key overflow
Submitted: 2003-12-10 10:04 UTC Modified: 2005-10-11 17:58 UTC
Votes:5
Avg. Score:4.0 ± 1.5
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:2 (40.0%)
From: sean@php.net Assigned: dmitry (profile)
Status: Wont fix Package: Scripting Engine problem
PHP Version: 5CVS, 4CVS (2005-06-19) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sean@php.net
New email:
PHP Version: OS:

 

 [2003-12-10 10:04 UTC] sean@php.net 
Description:
------------
See attached code.

It seems that when assigning arrays in a class definition, it's possible to overflow the array key, without any sort of warning/notice/etc.

This only happens in a class def, and not to a "global" namespace array.

It's odd that the same code isn't used for both regular array constructs, and object array constructs (Zend Engine).

ZE2 may fix this problem. Has not been tested.

The logical overflow threshold is between 2147483647 and 2147483648 (where 2147483648 is a 32bit (singed) integer value of -0, if I'm not mistaken -- or 0x80000000).

Note: this affects more than just negative keys as seen in code:VAL3.

I don't have time to jump into the php source right now (nor am I truly qualified to do so).

Please let me know if/when you need additional details.

S
(sean@php.net)


Reproduce code:
---------------
http://sean.caedmon.net/php/class_array_bug.phps
(http://sean.caedmon.net/php/class_array_bug.php)


Expected result:
----------------
(see code)

Actual result:
--------------
(see code)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-25 15:41 UTC] sniper@php.net 
Leaks too:

php5/Zend/zend_compile.c(3005) :  Freeing 0x082268CC (16 bytes)
php5/Zend/zend_language_scanner.l(1607) :  Freeing 0x08226894 (5 bytes)

php_4_3/Zend/zend_compile.c(1872) :  Freeing 0x086549D4 (12 bytes)
php_4_3/Zend/zend_language_scanner.l(1531) :  Freeing 0x0865499C (5 bytes)
 [2005-06-19 21:22 UTC] sniper@php.net 
See also bug #28972
Still fails and leaks.
 [2005-06-24 13:51 UTC] dmitry@php.net 
The bug is partially fixed in CVS HEAD, PHP_5_0 and PHP_4_4.
Integer overflow problem is not solved, but now constant arrays can use null, boolean and double indecies.
 [2005-10-11 17:58 UTC] iliaa@php.net 
PHP does not handle integer overflows.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon May 13 23:01:33 2024 UTC