php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27759 bcadd() causes crash if first parameter is empty string
Submitted: 2004-03-29 15:43 UTC Modified: 2004-07-26 19:58 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: patrick at rap-x dot com Assigned:
Status: Closed Package: BC math related
PHP Version: 5.0.0RC1 OS: win32 only
Private report: No CVE-ID:
 [2004-03-29 15:43 UTC] patrick at rap-x dot com
Description:
------------
The following code causes PHP5 RC1 (module)/ WINXP / Apache2 to crash.

The same code doesn't cause a crash on PHP 4.3.4 / WINXP/ IIS (CGI)

Fault discovered by using PEAR :: Benchmark

Workaround is to mess around line 230ish in pear Timer.php so that the bcadd is not called.

Reproduce code:
---------------
$total = "0";
$diff = "";
bcadd($total, $diff, 6);

Expected result:
----------------
n/a

Actual result:
--------------
Apache2 crashes

Windows Event Log records:

Faulting application Apache.exe, version 2.0.49.0, faulting module php5ts.dll, version 5.0.0.0, fault address 0x0003c773.

Apache error log: 

Parent: child process exited with status 3221225477 -- Restarting.
[notice] Parent: Created child process 2120
[notice] Child 2120: Child process is running
[notice] Child 2120: Acquired the start mutex.
[notice] Child 2120: Starting 250 worker threads.

[notice] Parent: Created child process 2120
[notice] Child 2120: Child process is running
[notice] Child 2120: Acquired the start mutex.
[notice] Child 2120: Starting 250 worker threads.
[notice] Parent: child process exited with status 2147483649 -- Restarting.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-03-29 16:29 UTC] pollita@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2004-04-04 20:48 UTC] patrick at rap-x dot com
The bug is still reproducible, on the same code base. I don't have a windows compiler for C, so I can't try the hugely useful suggestion from polita. 

I've commented out or replaced all instances of bcmath functions in my code. I don't have a windows compiler for C, so I can't try the hugely useful suggestion from polita. 

If someone can point me to some binaries I'll test them.
 [2004-04-04 21:32 UTC] magnus@php.net
Latest snapshot

For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2004-04-04 23:54 UTC] patrick at rap-x dot com
The same code causes the same problem with PHP5 RC2. Output from the first section of phpinfo() below.
-----------------------------
PHP Version 5.0.0RC2-dev
System 	Windows NT ME 5.1 build 2600
Build Date 	Apr 3 2004 04:32:40
Configure Command 	cscript /nologo configure.js "--enable-snapshot-build" "--with-gd=shared"
Server API 	Apache 2.0 Handler
Virtual Directory Support 	enabled
Configuration File (php.ini) Path 	C:\WINDOWS\php.ini
PHP API 	20031224
PHP Extension 	20040316
Zend Extension 	90021012
Debug Build 	no
Thread Safety 	enabled
IPv6 Support 	enabled
Registered PHP Streams 	php, file, http, ftp, compress.zlib
Registered Stream Socket Transports 	tcp, udp
.............
BCMath support 	enabled
 [2004-04-07 05:56 UTC] sniper@php.net
works fine for me using latest CVS snapshot.

 [2004-04-11 23:03 UTC] hagen at xiag dot ch
Latest snapshot crashes on both Apaches 2.0.48 and 1.3.29 on WinXP.
 [2004-04-26 13:26 UTC] marv at cyberia dot net dot lb
This bug still exists in PHP5RC2. There isn't a problem with bcmath itself, but something is corrupting heap memory that bcmath uses.
bcmath allocates three numbers (zero, one, and two) when it first starts up. If any of these numbers is then used (such as when adding zero to a number in bcadd) Apache crashes.
 [2004-06-18 01:21 UTC] rashid at ds dot pg dot gda dot pl
bug is closed so i dare to add 'me too' so maybe someone will reopen it :]
php5 rc2: problem exists in both bc_sub and bc_add (PEAR`s Benchmark_Timer works great as perfect example of this bug)
 [2004-06-29 18:51 UTC] ttt_cao at hotmail dot com
update the function getProfiling() in timer.php as the follows, maybe you can fix the bug. 

    function getProfiling() {
        $i = 0;
        $total = $temp = '0.0';
        $result = array();

        foreach ($this->markers as $marker => $time) {

            if (extension_loaded('bcmath')) {
                $diff  = bcsub($time, $temp, 6);

                if ($i > 0)
                	$total = bcadd($total, $diff, 6);
            } else {
                $diff  = $time - $temp;
                $total = $total + $diff;
            }
            
            echo "$time   $diff $total <br>";

            $result[$i]['name']  = $marker;
            $result[$i]['time']  = $time;
            $result[$i]['diff']  = $diff;
            $result[$i]['total'] = $total;

            $this->strlen_max = (strlen($marker) > $this->strlen_max ? strlen($marker) + 1 : $this->strlen_max);

            $temp = $time;
            $i++;

        }


        $result[0]['diff'] = '-';
        $this->strlen_max = (strlen('total') > $this->strlen_max ? strlen('total') : $this->strlen_max);
        $this->strlen_max += 4;

        return $result;
    }
 [2004-07-07 15:48 UTC] pk at onpk dot net
The reproduce code still crashes on my box Windows 2000 pro, Apache 1.3.27, PHP5 build 2195. And not only with "bcadd" but also with :
$total = "0";
$diff = "";
bcpow($total, $diff, 6);

And :
$total = "0";
$diff = "";
bcsub($total, $diff, 6);

However I've to admit that ttt_cao at hotmail dot com's remedy does work. By the way, I'm not using PEAR`s
Benchmark_Timer.

Hope someone will look at this. Thanks in advance.

Perrick :: http://www.onpk.net/
 [2004-07-25 00:22 UTC] davesk78 at yahoo dot com
This bug still exists in the final release (5.0.0).  I'm running Apache 2, PHP 5.0.0, and Windows XP Pro.  Same test case:

$total = "0";
$diff = "";
$result = bcadd($total, $diff, 6);
echo $result;
exit;

The following also causes Apache to crash:

$total = "0";
$diff = "";
$result = bcpow($total, $diff, 6);
echo $result;
exit;
 [2004-07-26 19:58 UTC] pollita@php.net
The fix was located just *after* the release of 5.0.0 (literally, like, the next day), look for it in 5.0.1.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 18:01:58 2014 UTC