php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51105 PHP str_repeat() Function Integer Overflow
Submitted: 2010-02-21 14:44 UTC Modified: 2010-10-16 00:31 UTC
Votes:9
Avg. Score:3.8 ± 1.6
Reproduced:2 of 4 (50.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: r3d dot w0rm at yahoo dot com Assigned:
Status: Not a bug Package: Strings related
PHP Version: 5.3.2RC2 OS: All
Private report: No CVE-ID:
 [2010-02-21 14:44 UTC] r3d dot w0rm at yahoo dot com
Description:
------------
PHP str_repeat() Function Integer Overflow

AUTHOR : Sina Yazdanmehr(R3d.W0rm)

Discovered by : Sina Yazdanmehr (R3d.W0rm)

Our Site : http://IrCrash.com

Our Forums : http://ircrash.com/persian/

My Official WebSite : http://R3dW0rm.ir

IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr)

Reproduce code:
---------------
<?php
//www.IrCrash.com
//By : R3d.W0rm
$str1 = str_repeat('0x0x0x0x',999999999);
$str2 = str_repeat($str,1);
?>  

Expected result:
----------------
Fatal error: Possible integer overflow in memory allocation (8 * 999999999 + 1) in F:\Program Files\EasyPHP-5.3.1\www\over.php on line 4


Fatal error: Possible integer overflow in memory allocation (8 * 999999999 + 1) in /var/www/html/over.php on line 4


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-21 15:14 UTC] pajoye@php.net
Which processor and OS do you use? I get the expected fatal error here.
 [2010-02-21 16:33 UTC] r3d dot w0rm at yahoo dot com
Os : win Xp Sp 2 , Fedora 11
Cpu : 2.2
 [2010-02-21 17:26 UTC] pajoye@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2010-03-01 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2010-07-16 01:41 UTC] php at crummett dot us
PHP says you do not have enough memory to do this. The string generated would be 8GiB in size.

Also, this can be simplified as:

Reproduce code:
---------------
<?php
str_repeat('0x0x0x0x',999999999);

Actual result:
---------------
Fatal error: Possible integer overflow in memory allocation (8 * 999999999 + 1) in crash.php  on line 2
 [2010-10-16 00:31 UTC] felipe@php.net
-Status: No Feedback +Status: Bogus
 [2010-10-16 00:31 UTC] felipe@php.net
I cannot reproduce this. (probably already fixed)
 [2011-11-22 05:35 UTC] firexware at gmail dot com
The problem was not reproducible because you were using 64-bit php which uses 64-bit signed integers.

Try this:

<?php
$str1 = str_repeat('0x0x0x0x', 18446744073709551615);
echo "all good so far...\n";
$str2 = str_repeat('0x0x0x0x', 2305843009213693952);
?>

18446744073709551615 is 2^64 - 1, which is -1 in two's compliment.
2305843009213693952 is 2^61

Output:

all good so far...
PHP Fatal error:  Possible integer overflow in memory allocation (8 * 2305843009213693952 + 1) in /tmp/test.php on line 4

Expected output:

PHP Fatal error:  Possible integer overflow in memory allocation (8 * 18446744073709551615 + 1) in /tmp/test.php on line 2
all good so far...
PHP Fatal error:  Possible integer overflow in memory allocation (8 * 2305843009213693952 + 1) in /tmp/test.php on line 4
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 08:02:55 2014 UTC