|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66183 Converting large strings to floats
Submitted: 2013-11-27 14:17 UTC Modified: 2015-08-28 18:18 UTC
From: aatallah at stanford dot edu Assigned: nikic (profile)
Status: Closed Package: Strings related
PHP Version: Irrelevant OS: Mac OS X 10.9
Private report: No CVE-ID: 2013-4164
 [2013-11-27 14:17 UTC] aatallah at stanford dot edu
I'm using PHP 5.4.17 (cli) (built: Aug 25 2013 02:03:38), the default shipped by Apple now.

See the test script. When a string-representation of a decimal is large enough, converting it to a float causes "Fatal error: Balloc() allocation exceeds list boundary in php shell code on line 1" and terminates the script. This is similar to Ruby's bug, publicized at

Ruby fixed this by avoiding the Bigint freelist in Balloc; perhaps PHP should do something better than having a hard cutoff for k in Balloc.

Test script:
echo floatval("1.".str_repeat("1", 300000));

Expected result:
1.1111111111111, which is the output of echo floatval("1.".str_repeat("1", 300));

Actual result:
Fatal error: Balloc() allocation exceeds list boundary in php shell code on line 1


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-12 05:27 UTC]
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2013-12-12 05:28 UTC]
-CVE-ID: +CVE-ID: 2013-4164
 [2013-12-12 05:29 UTC]
-Type: Security +Type: Bug
 [2013-12-12 05:29 UTC]
hmm, misunderstood, this is not a security bug for php
 [2015-08-28 18:18 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2015-08-28 18:18 UTC]
This has been fixed in PHP 7 as part of the strtod update.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Jun 08 05:03:37 2023 UTC