|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34879 str_replace, array_map corrupt negative array indexes
Submitted: 2005-10-15 09:50 UTC Modified: 2005-10-28 17:03 UTC
From: brion at pobox dot com Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 5.1.0RC1, 4.4.1RC1 OS: Linux 64bit (AMD64)
Private report: No CVE-ID:
 [2005-10-15 09:50 UTC] brion at pobox dot com
On 64-bit Opteron systems, certain functions which operate on
arrays will corrupt negative integer array indexes, turning
them into large positive integers.

I've found at least str_replace, preg_replace, and array_map
to exhibit this behavior.

This bug has been inserting odd, but harmless entries into 
user preferences on Wikipedia, though there might be more 
serious problems caused by it that we haven't yet discovered.

Problem confirmed on PHP 4.4.0, 4.4.1RC1, and 5.1.0RC1
running on Fedora Core 3 for x86_64; compiled PHP with
gcc (GCC) 3.4.4 20050721 (Red Hat 3.4.4-2)

Reproduce code:
var_dump( str_replace( 'a', 'b', array( -1 => -1 ) ) );

Expected result:
Running on our 32-bit Linux systems I receive the expected:
array(1) {
  string(2) "-1"

Actual result:
On our 64-bit Linux servers, I get an incorrect index:
array(1) {
  string(2) "-1"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-21 23:50 UTC]
Reproducible on amd64 host.
 [2005-10-28 14:01 UTC]
zend_hash_get_current_key_ex() returns ulong, but add_index_...() accepts uint. On 64-bit ulong and uint have different size. So we lose part of index value.
 [2005-10-28 17:03 UTC]
Fixed in CVS HEAD and PHP_5_1.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 00:01:40 2015 UTC