php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51430 Numeric string array key is being implicitly cast to 32bit int and overflowing
Submitted: 2010-03-29 20:18 UTC Modified: 2010-09-30 00:08 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: will at flourishlib dot com Assigned:
Status: Duplicate Package: Scripting Engine problem
PHP Version: 5.3.3RC1 OS: Fedora 12 x86, OpenSuse 11 x86
Private report: No CVE-ID:
 [2010-03-29 20:18 UTC] will at flourishlib dot com
Description:
------------
When trying to use a string array key that contains a number outside of the 32bit integer range, the key is being cast to an integer implicitly by PHP and is overflowing the 32bit integer limits.

This incorrect casting is present in both 5.3.1 and 5.3.2 (probably 5.3.0), however 5.1.6 through 5.2.13 do not perform this implicit casting. The manual indicates that an integer-like key will be cast to an integer, however that should not be the case when the integer will not losslessly cast, since that can cause keys to be overwritten.

Test script:
---------------
print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));
print_r(array("-2147483649" => 1, "-2147483648" => 2, "2147483647" => 3, "2147483648" => 4));

Expected result:
----------------
Array
(
    [-2147483649] => 1
    [-2147483648] =>
)
Array
(
    [-2147483649] => 1
    [-2147483648] => 2
    [2147483647] => 3
    [2147483648] => 4
)

Actual result:
--------------
Array
(
    [2147483647] => 1
    [-2147483648] =>
)
Array
(
    [2147483647] => 3
    [-2147483648] => 4
)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-08 14:27 UTC] tony2001@php.net
-Status: Open +Status: Bogus
 [2010-06-08 14:27 UTC] tony2001@php.net
Not reproducible with 5.3.2, 5.3.3-dev and trunk on 64bit Linux.
 [2010-06-09 23:10 UTC] will at flourishlib dot com
On my 32bit Fedora 12 box this does occur with 5.3.2. That seems to suggest me a 
32/64bit issue. Below is the output:

# php -v
PHP 5.3.2 (cli) (built: Apr 27 2010 17:55:02)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

# php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)

# uname -a
Linux vm-fedora 2.6.31.12-174.2.22.fc12.i686.PAE #1 SMP Fri Feb 19 19:10:04 UTC 
2010 i686 i686 i386 GNU/Linux
 [2010-06-11 15:05 UTC] will at flourishlib dot com
I just built 5.3.3-dev and I am still having the same bug:

# wget http://snaps.php.net/php5.3-201006111230.tar.bz2
# tar xvfj php5.3-201006111230.tar.bz2
# cd php5.3-201006111230/
# ./configure
# make
# cd sapi/cli/

# ./php -v
PHP 5.3.3-dev (cli) (built: Jun 11 2010 08:57:11)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

# ./php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)
 [2010-06-11 15:24 UTC] will at flourishlib dot com
I just built php-trunk and got the same bug:

# wget http://snaps.php.net/php-trunk-201006111230.tar.bz2
# tar xvfj php-trunk-201006111230.tar.bz2
# cd php-trunk-201006111230/
# ./configure
# make
# cd sapi/cli/

# ./php -v
PHP 5.3.99-dev (cli) (built: Jun 11 2010 09:19:41)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2010 Zend Technologies

# ./php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)

This is on a 32bit OpenSUSE machine:
# uname -a
Linux vm-opensuse 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 
i686 i686 i386 GNU/Linux
 [2010-06-11 15:27 UTC] colder@php.net
-Status: Bogus +Status: Open
 [2010-06-11 15:27 UTC] colder@php.net
Apparently it's still reproducible in some environments with the latest 5.3 
snapshot, Not on mine though.
 [2010-06-11 15:35 UTC] will at flourishlib dot com
Both 5.3.3-dev and trunk were built on the following machine:

# uname -a
Linux vm-opensuse 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 i686 i686 i386 GNU/Linux

# gcc -v
Using built-in specs.
Target: i586-suse-linux
Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib 
--libexecdir=/usr/lib --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-checking=release --with-
gxx-include-dir=/usr/include/c++/4.4 --enable-ssp --disable-libssp --with-bugurl=http://bugs.opensuse.org/ --
with-pkgversion='SUSE Linux' --disable-libgcj --disable-libmudflap --with-slibdir=/lib --with-system-zlib --
enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-
libs --program-suffix=-4.4 --enable-linux-futex --without-system-libunwind --with-arch-32=i586 --with-
tune=generic --build=i586-suse-linux
Thread model: posix
gcc version 4.4.1 [gcc-4_4-branch revision 150839] (SUSE Linux)
 [2010-06-11 15:52 UTC] will at flourishlib dot com
Here is the info from the original 32bit machine that also sees the bug in 
5.3.3-dev:

# ./php -v
PHP 5.3.3-dev (cli) (built: Jun 11 2010 09:48:12)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

# ./php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)

# uname -a
Linux vm-fedora 2.6.31.12-174.2.22.fc12.i686.PAE #1 SMP Fri Feb 19 19:10:04 UTC 
2010 i686 i686 i386 GNU/Linux

# gcc -v
Using built-in specs.
Target: i686-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --
infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --
enable-bootstrap --enable-shared --enable-threads=posix --enable-
checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-
exceptions --enable-gnu-unique-object --enable-languages=c,c++,objc,obj-
c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --
with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-multifile 
--enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --
disable-libjava-multilib --with-ppl --with-cloog --with-tune=generic --with-
arch=i686 --build=i686-redhat-linux
Thread model: posix
gcc version 4.4.3 20100127 (Red Hat 4.4.3-4) (GCC)
 [2010-06-12 18:51 UTC] pajoye@php.net
@colder I don't think we ever supported 64bit numeric on 32bit platforms.
 [2010-06-18 15:17 UTC] will at flourishlib dot com
-Operating System: Fedora 12 +Operating System: Fedora 12 x86, OpenSuse 11 x86 -PHP Version: 5.3.2 +PHP Version: 5.3.3RC1
 [2010-06-18 15:17 UTC] will at flourishlib dot com
I just built PHP 5.3.3RC1 on both my Fedora x86 and OpenSuse x86 machines and the bug is present in 
both.


The commands used for each:

# wget http://downloads.php.net/johannes/php-5.3.3RC1.tar.bz2
# tar xvfj php-5.3.3RC1.tar.bz2
# cd php-5.3.3RC1
# ./configure
# make
# cd sapi/cli/
# ./php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)


The uname -a from each:

Linux vm-fedora 2.6.31.12-174.2.22.fc12.i686.PAE #1 SMP Fri Feb 19 19:10:04 UTC 2010 i686 i686 i386 
GNU/Linux

Linux vm-opensuse 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 i686 i686 i386 
GNU/Linux


Since there was some speculation that this may be a compiler issue, here is gcc -v for each:

Using built-in specs.
Target: i686-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-
bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --
enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --
enable-gnu-unique-object --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --
disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-
multifile --enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-
libjava-multilib --with-ppl --with-cloog --with-tune=generic --with-arch=i686 --build=i686-redhat-linux
Thread model: posix
gcc version 4.4.3 20100127 (Red Hat 4.4.3-4) (GCC)

Using built-in specs.
Target: i586-suse-linux
Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --
libdir=/usr/lib --libexecdir=/usr/lib --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-
checking=release --with-gxx-include-dir=/usr/include/c++/4.4 --enable-ssp --disable-libssp --with-
bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --disable-libgcj --disable-libmudflap --
with-slibdir=/lib --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-
libstdcxx-pch --enable-version-specific-runtime-libs --program-suffix=-4.4 --enable-linux-futex --
without-system-libunwind --with-arch-32=i586 --with-tune=generic --build=i586-suse-linux
Thread model: posix
gcc version 4.4.1 [gcc-4_4-branch revision 150839] (SUSE Linux)
 [2010-09-30 00:08 UTC] cataphract@php.net
-Status: Open +Status: Duplicate
 [2010-09-30 00:08 UTC] cataphract@php.net
Dup of #51008.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 04:02:11 2014 UTC