php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #48093 Generated index is reset due to integer overflow
Submitted: 2009-04-27 23:02 UTC Modified: 2009-06-07 19:40 UTC
From: Marcel dot Glacki at stud dot fh-swf dot de Assigned:
Status: Not a bug Package: Arrays related
PHP Version: 5.2.9 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: Marcel dot Glacki at stud dot fh-swf dot de
New email:
PHP Version: OS:

 

 [2009-04-27 23:02 UTC] Marcel dot Glacki at stud dot fh-swf dot de 
Description:
------------
The generated index normally has the highest integer value regarding all integers it has encountered as indexes before. (And is automatically increased by +1)

It is possible to reset this index (the internal pointer) not only by the functions intended to do so (like reset()) but also by increasing it above integers' max value (integer overflow).

Reproduce code:
---------------
<?php
$max_int = 2147483647; // Max value for integer on a 32-bit system
$arr = array();

$arr[1] = 'one'; // New index: 2
$arr[ $max_int ] = 'two'; // New index: -2147483648
$arr[0] = 'three'; // New index: 1 (already occupied with value 'foo')
$arr[]  = 'failure here'; // Warning: Cannot add element to the array as the next element is already occupied.
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-28 07:55 UTC] sniper@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
 [2009-04-28 14:03 UTC] Marcel dot Glacki at stud dot fh-swf dot de 
Hi,

well, I checked the manual (even in other languages). But if I missed something essential let me know.

What I wanted to point out is, that the manual says integers are converted to float if an integer overflow is encountered. (See: http://www.php.net/manual/en/language.types.integer.php at section "Integer overflow")

Furthermore the manual says about using arrays if when no index is given the array generates itself an index to use. (See: http://www.php.net/manual/en/language.types.array.php at section "Creating/modifying with square bracket syntax") It says: "As mentioned above, if no key is specified, the maximum of the existing integer indices is taken, and the new key will be that maximum value plus 1."

So what happens when this maximum value is already MAX_INT ? It then is not converted to float and if so, it would then be truncated to integer ... and then the integer overflow comes across.

Again, the manual says "the MAXIMUM of the existing integer indices ... is taken" and that's just not true for the code I provided in the first post and the one down below.

Here's another code sample to show:

<?php
$max_int = 2147483647; // Max integer value on a 32-bit system
$arr     = array();

$arr[]           = 'some';
$arr[ $max_int ] = 'values';
$arr[]           = 'another'; // The max of int indices is taken +1 for this key/index
$arr[]           = 'value'; // This should be the same index as for value 'another' as max_int is the maximum integer indice in the array. But it doesn't happen.

print_r( $arr );

?>

Which prints:
Array
(
    [0] => some
    [2147483647] => values
    [-2147483648] => another
    [-2147483647] => value
)


Regards,
Marcel
 [2009-06-07 19:40 UTC] mattwil@php.net 
Your initial report is technically correct, as far as what's happening internally, and the second example shows it -- the initial example would too if this line is commented/removed:

$arr[1] = 'one'; // New index: 2

Otherwise, this is a duplicate of Bug #47836, which is now fixed. The initial code will still give the same warning (I'm sure you expect that though), but for a different reason internally. :-)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 11:01:28 2024 UTC