php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66183 Converting large strings to floats
Submitted: 2013-11-27 14:17 UTC Modified: 2015-08-28 18:18 UTC
From: aatallah at stanford dot edu Assigned: nikic (profile)
Status: Closed Package: Strings related
PHP Version: Irrelevant OS: Mac OS X 10.9
Private report: No CVE-ID: 2013-4164
 [2013-11-27 14:17 UTC] aatallah at stanford dot edu
Description:
------------
I'm using PHP 5.4.17 (cli) (built: Aug 25 2013 02:03:38), the default shipped by Apple now.

See the test script. When a string-representation of a decimal is large enough, converting it to a float causes "Fatal error: Balloc() allocation exceeds list boundary in php shell code on line 1" and terminates the script. This is similar to Ruby's bug, publicized at https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/.

Ruby fixed this by avoiding the Bigint freelist in Balloc; perhaps PHP should do something better than having a hard cutoff for k in Balloc.

Test script:
---------------
echo floatval("1.".str_repeat("1", 300000));

Expected result:
----------------
1.1111111111111, which is the output of echo floatval("1.".str_repeat("1", 300));

Actual result:
--------------
Fatal error: Balloc() allocation exceeds list boundary in php shell code on line 1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-12 05:27 UTC] laruence@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2013-12-12 05:28 UTC] laruence@php.net
-CVE-ID: +CVE-ID: 2013-4164
 [2013-12-12 05:29 UTC] laruence@php.net
-Type: Security +Type: Bug
 [2013-12-12 05:29 UTC] laruence@php.net
hmm, misunderstood, this is not a security bug for php
 [2015-08-28 18:18 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2015-08-28 18:18 UTC] nikic@php.net
This has been fixed in PHP 7 as part of the strtod update.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 17 08:03:36 2021 UTC