|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2011-11-19 12:36 UTC] shm@php.net
-Assigned To:
+Assigned To: shm
[2011-11-19 12:46 UTC] shm@php.net
[2011-11-19 12:48 UTC] shm@php.net
[2011-11-19 12:48 UTC] shm@php.net
-Status: Assigned
+Status: Closed
[2012-04-18 09:47 UTC] laruence@php.net
[2012-07-24 23:38 UTC] rasmus@php.net
[2013-11-17 09:35 UTC] laruence@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri May 09 04:01:27 2025 UTC |
Description: ------------ bcscale uses long typed variable to store scale passed further to bclib calls. Unfortunately bclib uses int type for scale parameter, thus large long numbers (which uses 8 bytes on 64 bits platforms) could be casted to negative number and cause memory corruption as a result of pointer arithmetic with scale param. Test script: --------------- <?php $var48 = bcscale(634314234334311); $var67 = bcsqrt(false); $var414 = bcadd(false,null,10); die('ALIVE'); ?> Expected result: ---------------- ALIVE Actual result: -------------- $ php <?php $var48 = bcscale(634314234334311); $var67 = bcsqrt(false); $var414 = bcadd(false,null,10); die('ALIVE'); ?>^D Segmentation fault: 11 (core dumped)