|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46587 mt_/rand produce out of range numbers when min = 0 and max > get_randmax
Submitted: 2008-11-17 02:50 UTC Modified: 2010-11-23 14:09 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: atomo64 at gmail dot com Assigned: iliaa
Status: Closed Package: Math related
PHP Version: 5.2.6 OS: Debian sid
Private report: No CVE-ID:
 [2008-11-17 02:50 UTC] atomo64 at gmail dot com
Whenever min is set to 0 and max is set to anything greater than 
getrandmax (or the mt_ version) the returned PRN is always (despite 
the upper limit check in the example code) a number minor than 0.

Reproduce code:
define("UL", mt_getrandmax()+1000);
$r=mt_rand(0, UL);
if ($r < 0 || $r > UL)
echo "Random value out of range\n";

Expected result:
No output

Actual result:
Random value out of range


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-09 14:06 UTC] mmcnickle at gmail dot com
The problem is that there is an integer overflow on UL:

define('UL',mt_getrandmax() + 1000);
var_dump(UL, (int)UL);

will produce

The $min and $max parameter names on mt_rand() (and rand()) are misleading, as $min can be larger than $max and mt_rand will produce a correct value between $min and $max.

In the bug example, the expected result is returned: a random value between -2147482649 and 0.

If you want to change the integer overflow behaviour, it would be best to do a check using mt_getrandmax() in the PHP code:

$max = mt_getrandmax() + 1000;

if ($max > mt_getrandmax()) {
    $max = mt_getrandmax();
$r = mt_rand(0, $max); // $r is now a number between 0 and mt_getrandmax()
 [2010-11-23 14:09 UTC]
Automatic comment from SVN on behalf of iliaa
Log: Fixed bug #46587 (mt_rand() does not check that max is greater than min).
 [2010-11-23 14:09 UTC]
-Status: Assigned +Status: Closed -Assigned To: pajoye +Assigned To: iliaa
 [2010-11-23 14:09 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2010-11-25 17:44 UTC]
Automatic comment from SVN on behalf of cataphract
Log: - Fixed bug #53403 (use of unitialized values). Fixes the fix for bug #46587.
- Added test for bug #46587.
 [2011-01-27 13:50 UTC] belov1985 at gmail dot com
Arr.. I use this feature five years!! ]:->

mt_rand(0, 10) - works, but mt_rand(10, 0) - why no? it's great, that there is no need to check min & max...

WBR, Konstantin
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sun Nov 29 23:01:35 2015 UTC