php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68664 out of bounds write / invalid operation
Submitted: 2014-12-28 03:44 UTC Modified: 2014-12-30 08:26 UTC
From: honey at internot dot info Assigned:
Status: Not a bug Package: *General Issues
PHP Version: master-Git-2014-12-28 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
 [2014-12-28 03:44 UTC] honey at internot dot info
Description:
------------
Hi,

In /ext/standard/formatted_print.c:

158        while (magn > 0 && i > 0);

Should it be "> 0) {"?


  
158        while (magn > 0 && i > 0);
 
159        if (neg) {

160                numbuf[--i] = '-';



Thanks,



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 08:18 UTC] stas@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2014-12-30 08:18 UTC] stas@php.net
while() is part of do/while construct, so it can not be "> 0) {". In theory, it can happen that i goes down to 0, in practice due to NUM_BUF_SIZE being 500, i starts with 499, which means magn should be at least 10^500 for this to happen, or occupy about 1661 bits. Since magn is defined as long and no known system where PHP runs has longs of this size, this does not seem to be a real issue. We could probably change the condition to i > 1 just to be nicer but I see no real issue there.
 [2014-12-30 08:26 UTC] honey at internot dot info
Hi,

The real question/problem I had with this was the semicolon used with the "while" loop.

I've never seen a statement like that. Is it correct?

I actually realized this wasn't a sec. bug earlier today, and I thought I had responded, but I must have forgotton to put the password, so my reply didn't go through.

Thanks,
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 14:01:28 2024 UTC