php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67247 spl_fixedarray_resize integer overflow
Submitted: 2014-05-12 00:46 UTC Modified: -
From: stas@php.net Assigned:
Status: Closed Package: *General Issues
PHP Version: 5.4.28 OS: *
Private report: No CVE-ID:
 [2014-05-12 00:46 UTC] stas@php.net
Description:
------------
SplFixedArray does not check given parameters for integer overflows when resizing.

Test script:
---------------
$ar = new SplFixedArray(1);
echo "size: ".$ar->getSize()."\n";
$ar->setSize(0x2000000000000001);  // or 0x40000001 for 32 bit
echo "size: ".$ar->getSize()."\n";


Expected result:
----------------
Integer overflow error

Actual result:
--------------
Can crash or produce valgrind error

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-05-12 01:58 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b475eebbea85779989e98e87753d6b023a1d131
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-05-12 01:58 UTC] stas@php.net
-Status: Open +Status: Closed
 [2014-05-12 09:03 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b475eebbea85779989e98e87753d6b023a1d131
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-05-13 11:25 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b475eebbea85779989e98e87753d6b023a1d131
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-05-14 07:57 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b475eebbea85779989e98e87753d6b023a1d131
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-05-26 06:33 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b475eebbea85779989e98e87753d6b023a1d131
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-07-29 21:56 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=84605098bc81517919ecb43935682fdd8a249f9d
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-08-14 15:34 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=84605098bc81517919ecb43935682fdd8a249f9d
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-08-14 19:32 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=84605098bc81517919ecb43935682fdd8a249f9d
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-10-07 23:14 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=84605098bc81517919ecb43935682fdd8a249f9d
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-10-07 23:15 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2b475eebbea85779989e98e87753d6b023a1d131
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=84605098bc81517919ecb43935682fdd8a249f9d
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 [2014-10-07 23:26 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2b475eebbea85779989e98e87753d6b023a1d131
Log: Fix bug #67247	spl_fixedarray_resize integer overflow
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 23 05:01:47 2017 UTC