|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35690 pack() allocates 1GB memory on float-values.
Submitted: 2005-12-15 20:51 UTC Modified: 2005-12-15 23:15 UTC
Avg. Score:3.0 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: hn at ondskap dot net Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 5.1.1 OS: Linux, Windows Server 2003
Private report: No CVE-ID:
 [2005-12-15 20:51 UTC] hn at ondskap dot net
Weird stuff going on with pack().

pack("A*", $float) makes the process go in to a endless loop (if you turn off memory limit), and kills the apache-thread (and probably server too if it's a slow one), trying to allocate ~1GB memory.

It's important to check all user-inputs to the pack()-function as it might hang the server for a while.

From the PHP-doc: "Also note that PHP internally stores integer values as signed values of a machine dependent size. If you give it an unsigned integer value too large to be stored that way it is converted to a float which often yields an undesired result."

(Including php-version 5.1.1)

Reproduce code:
   echo pack( "A*", 1.0 );
FATAL:  emalloc():  Unable to allocate 1072693249 bytes

   echo strlen( pack( "A*", (int) "heh" ));
   // Returns 3 all though we cast an integer to it?

Expected result:
A fatal error on emalloc() that's unable to allocate an machine dependent amount of memory.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-15 23:15 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sun Oct 04 21:01:30 2015 UTC