php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69702 Handle pool integer overflow
Submitted: 2015-05-24 22:21 UTC Modified: 2015-05-24 22:56 UTC
From: info at daniel-marschall dot de Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4.41 OS: Linux 3.2.0-4-amd64 #1 SMP Debia
Private report: No CVE-ID: None
 [2015-05-24 22:21 UTC] info at daniel-marschall dot de
Description:
------------
Given is following CLI script, which will do a "for" loop for BigIntegers (gmp). I iterate $i from 0 to 999999999999999999 .


I see 4 problems:
1) There is no possibility to increase a GMP number without re-creating it using gmp_add() .
2) On a 64-bit OS, the max handle pool is still an unsigned 32 bit int (see below)???
3) The handle pool counter does not reset when variables are freed, therefore an integer overflow happens.
4) there is no possibility to free a gmp resource. I assume that it is done automatically, since there is no gmp_free().


Test script:
---------------
#!/usr/bin/php
<?php

$max = gmp_init("999999999999999999");
$i = gmp_init(0);

while ((gmp_cmp($i, $max) == -1)) {
        $i = gmp_add($i, 1);
}


Expected result:
----------------
Since $i is re-assigned (and the old instance of the gmp-object is freed therefore), there should be neither a memory overflow, nor anything else failing.

Actual result:
--------------
[after a very long waiting time, of course!]


PHP Warning:  gmp_cmp(): -2147483648 is not a valid GMP integer resource in .../phpbug.php on line 7
PHP Stack trace:
PHP   1. {main}() .../phpbug.php:0
PHP   2. gmp_cmp() .../phpbug.php:7

Warning: gmp_cmp(): -2147483648 is not a valid GMP integer resource in .../phpbug.php on line 7

Call Stack:
    0.0001     226000   1. {main}() .../phpbug.php:0
 4309.1840     227048   2. gmp_cmp() .../phpbug.php:7


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-24 22:56 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2015-05-24 22:56 UTC] nikic@php.net
The GMP issue is fixed in PHP 5.6 as a side-effect of no longer using resources: Unlike resource IDs object handles get reused. This will not be fixed in earlier versions.

For the general issue of resource id overflow see also bug #67845 and FR #47396.
 [2015-05-25 14:54 UTC] info at daniel-marschall dot de
Ok, thanks for this information.

But why does a 64bit build of PHP have a 32 bit handle address space?
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 11:01:24 2019 UTC