php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34879 str_replace, array_map corrupt negative array indexes
Submitted: 2005-10-15 09:50 UTC Modified: 2005-10-28 17:03 UTC
From: brion at pobox dot com Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 5.1.0RC1, 4.4.1RC1 OS: Linux 64bit (AMD64)
Private report: No CVE-ID:
 [2005-10-15 09:50 UTC] brion at pobox dot com
Description:
------------
On 64-bit Opteron systems, certain functions which operate on
arrays will corrupt negative integer array indexes, turning
them into large positive integers.

I've found at least str_replace, preg_replace, and array_map
to exhibit this behavior.

This bug has been inserting odd, but harmless entries into 
user preferences on Wikipedia, though there might be more 
serious problems caused by it that we haven't yet discovered.

Problem confirmed on PHP 4.4.0, 4.4.1RC1, and 5.1.0RC1
running on Fedora Core 3 for x86_64; compiled PHP with
gcc (GCC) 3.4.4 20050721 (Red Hat 3.4.4-2)


Reproduce code:
---------------
var_dump( str_replace( 'a', 'b', array( -1 => -1 ) ) );


Expected result:
----------------
Running on our 32-bit Linux systems I receive the expected:
array(1) {
  [-1]=>
  string(2) "-1"
}


Actual result:
--------------
On our 64-bit Linux servers, I get an incorrect index:
array(1) {
  [4294967295]=>
  string(2) "-1"
}


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-21 23:50 UTC] tony2001@php.net
Reproducible on amd64 host.
 [2005-10-28 14:01 UTC] dmitry@php.net
zend_hash_get_current_key_ex() returns ulong, but add_index_...() accepts uint. On 64-bit ulong and uint have different size. So we lose part of index value.
 [2005-10-28 17:03 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_1.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 19:01:51 2014 UTC