PHP :: Bug #51430 :: Numeric string array key is being implicitly cast to 32bit int and overflowing

Bug #51430

Numeric string array key is being implicitly cast to 32bit int and overflowing

Submitted:

2010-03-29 20:18 UTC

Modified:

2010-09-30 00:08 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

will at flourishlib dot com

Assigned:

Status:

Duplicate

Package:

Scripting Engine problem

PHP Version:

5.3.3RC1

OS:

Fedora 12 x86, OpenSuse 11 x86

Private report:

CVE-ID:

None

View Developer Edit

[2010-03-29 20:18 UTC] will at flourishlib dot com

Description:
------------
When trying to use a string array key that contains a number outside of the 32bit integer range, the key is being cast to an integer implicitly by PHP and is overflowing the 32bit integer limits.

This incorrect casting is present in both 5.3.1 and 5.3.2 (probably 5.3.0), however 5.1.6 through 5.2.13 do not perform this implicit casting. The manual indicates that an integer-like key will be cast to an integer, however that should not be the case when the integer will not losslessly cast, since that can cause keys to be overwritten.

Test script:
---------------
print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));
print_r(array("-2147483649" => 1, "-2147483648" => 2, "2147483647" => 3, "2147483648" => 4));

Expected result:
----------------
Array
(
    [-2147483649] => 1
    [-2147483648] =>
)
Array
(
    [-2147483649] => 1
    [-2147483648] => 2
    [2147483647] => 3
    [2147483648] => 4
)

Actual result:
--------------
Array
(
    [2147483647] => 1
    [-2147483648] =>
)
Array
(
    [2147483647] => 3
    [-2147483648] => 4
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-06-08 14:27 UTC] tony2001@php.net

-Status: Open +Status: Bogus

[2010-06-08 14:27 UTC] tony2001@php.net

Not reproducible with 5.3.2, 5.3.3-dev and trunk on 64bit Linux.

[2010-06-09 23:10 UTC] will at flourishlib dot com

On my 32bit Fedora 12 box this does occur with 5.3.2. That seems to suggest me a 
32/64bit issue. Below is the output:

# php -v
PHP 5.3.2 (cli) (built: Apr 27 2010 17:55:02)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

# php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)

# uname -a
Linux vm-fedora 2.6.31.12-174.2.22.fc12.i686.PAE #1 SMP Fri Feb 19 19:10:04 UTC 
2010 i686 i686 i386 GNU/Linux

[2010-06-11 15:05 UTC] will at flourishlib dot com

I just built 5.3.3-dev and I am still having the same bug:

# wget http://snaps.php.net/php5.3-201006111230.tar.bz2
# tar xvfj php5.3-201006111230.tar.bz2
# cd php5.3-201006111230/
# ./configure
# make
# cd sapi/cli/

# ./php -v
PHP 5.3.3-dev (cli) (built: Jun 11 2010 08:57:11)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

# ./php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)

[2010-06-11 15:24 UTC] will at flourishlib dot com

I just built php-trunk and got the same bug:

# wget http://snaps.php.net/php-trunk-201006111230.tar.bz2
# tar xvfj php-trunk-201006111230.tar.bz2
# cd php-trunk-201006111230/
# ./configure
# make
# cd sapi/cli/

# ./php -v
PHP 5.3.99-dev (cli) (built: Jun 11 2010 09:19:41)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2010 Zend Technologies

# ./php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)

This is on a 32bit OpenSUSE machine:
# uname -a
Linux vm-opensuse 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 
i686 i686 i386 GNU/Linux

[2010-06-11 15:27 UTC] colder@php.net

-Status: Bogus +Status: Open

[2010-06-11 15:27 UTC] colder@php.net

Apparently it's still reproducible in some environments with the latest 5.3 
snapshot, Not on mine though.

[2010-06-11 15:35 UTC] will at flourishlib dot com

Both 5.3.3-dev and trunk were built on the following machine:

# uname -a
Linux vm-opensuse 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 i686 i686 i386 GNU/Linux

# gcc -v
Using built-in specs.
Target: i586-suse-linux
Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib 
--libexecdir=/usr/lib --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-checking=release --with-
gxx-include-dir=/usr/include/c++/4.4 --enable-ssp --disable-libssp --with-bugurl=http://bugs.opensuse.org/ --
with-pkgversion='SUSE Linux' --disable-libgcj --disable-libmudflap --with-slibdir=/lib --with-system-zlib --
enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-
libs --program-suffix=-4.4 --enable-linux-futex --without-system-libunwind --with-arch-32=i586 --with-
tune=generic --build=i586-suse-linux
Thread model: posix
gcc version 4.4.1 [gcc-4_4-branch revision 150839] (SUSE Linux)

[2010-06-11 15:52 UTC] will at flourishlib dot com

Here is the info from the original 32bit machine that also sees the bug in 
5.3.3-dev:

# ./php -v
PHP 5.3.3-dev (cli) (built: Jun 11 2010 09:48:12)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

# ./php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)

# uname -a
Linux vm-fedora 2.6.31.12-174.2.22.fc12.i686.PAE #1 SMP Fri Feb 19 19:10:04 UTC 
2010 i686 i686 i386 GNU/Linux

# gcc -v
Using built-in specs.
Target: i686-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --
infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --
enable-bootstrap --enable-shared --enable-threads=posix --enable-
checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-
exceptions --enable-gnu-unique-object --enable-languages=c,c++,objc,obj-
c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --
with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-multifile 
--enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --
disable-libjava-multilib --with-ppl --with-cloog --with-tune=generic --with-
arch=i686 --build=i686-redhat-linux
Thread model: posix
gcc version 4.4.3 20100127 (Red Hat 4.4.3-4) (GCC)

[2010-06-12 18:51 UTC] pajoye@php.net

@colder I don't think we ever supported 64bit numeric on 32bit platforms.

[2010-06-18 15:17 UTC] will at flourishlib dot com

-Operating System: Fedora 12 +Operating System: Fedora 12 x86, OpenSuse 11 x86 -PHP Version: 5.3.2 +PHP Version: 5.3.3RC1

[2010-06-18 15:17 UTC] will at flourishlib dot com

I just built PHP 5.3.3RC1 on both my Fedora x86 and OpenSuse x86 machines and the bug is present in 
both.


The commands used for each:

# wget http://downloads.php.net/johannes/php-5.3.3RC1.tar.bz2
# tar xvfj php-5.3.3RC1.tar.bz2
# cd php-5.3.3RC1
# ./configure
# make
# cd sapi/cli/
# ./php -r 'print_r(array("-2147483649" => TRUE, "-2147483648" => FALSE));'
Array
(
    [2147483647] => 1
    [-2147483648] =>
)


The uname -a from each:

Linux vm-fedora 2.6.31.12-174.2.22.fc12.i686.PAE #1 SMP Fri Feb 19 19:10:04 UTC 2010 i686 i686 i386 
GNU/Linux

Linux vm-opensuse 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 i686 i686 i386 
GNU/Linux


Since there was some speculation that this may be a compiler issue, here is gcc -v for each:

Using built-in specs.
Target: i686-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-
bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --
enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --
enable-gnu-unique-object --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --
disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-
multifile --enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-
libjava-multilib --with-ppl --with-cloog --with-tune=generic --with-arch=i686 --build=i686-redhat-linux
Thread model: posix
gcc version 4.4.3 20100127 (Red Hat 4.4.3-4) (GCC)

Using built-in specs.
Target: i586-suse-linux
Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --
libdir=/usr/lib --libexecdir=/usr/lib --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-
checking=release --with-gxx-include-dir=/usr/include/c++/4.4 --enable-ssp --disable-libssp --with-
bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --disable-libgcj --disable-libmudflap --
with-slibdir=/lib --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-
libstdcxx-pch --enable-version-specific-runtime-libs --program-suffix=-4.4 --enable-linux-futex --
without-system-libunwind --with-arch-32=i586 --with-tune=generic --build=i586-suse-linux
Thread model: posix
gcc version 4.4.1 [gcc-4_4-branch revision 150839] (SUSE Linux)

[2010-09-30 00:08 UTC] cataphract@php.net

-Status: Open +Status: Duplicate

[2010-09-30 00:08 UTC] cataphract@php.net

Dup of #51008.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Nov 24 19:01:32 2024 UTC