php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71197 2 more segfaults in PHP's range() function
Submitted: 2015-12-22 15:58 UTC Modified: 2015-12-22 16:39 UTC
From: tpunt@php.net Assigned: tpunt
Status: Closed Package: Reproducible crash
PHP Version: 7.0.1 OS: Mac OS X Yosemite
Private report: No CVE-ID:
 [2015-12-22 15:58 UTC] tpunt@php.net
Description:
------------
The segfaults are caused by precision loss of large longs being converted to doubles when the `step` parameter is a double. The for loops continue infinitely since the `step` being added/subtracted upon each iteration is too small to be represented accurately as a double.

The attached patch adds another condition to each of the for loops by ensuring that the number of iterations in the loop are less than the size of the range (`__calc_size`). This prevents both loops from continuing until segfaulting, however doesn't give an accurate result (due to `__calc_size` being incorrect because of aforementioned precision loss).

Test script:
---------------
var_dump(count(range(PHP_INT_MIN, PHP_INT_MIN + 513, .01)));
var_dump(count(range(PHP_INT_MIN + 513, PHP_INT_MIN, .01)));

Expected result:
----------------
// A completely correct output would be:
int(51400)
int(51400)

Actual result:
--------------
Segmentation fault: 11
Segmentation fault: 11

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-22 15:58 UTC] tpunt@php.net
-Assigned To: +Assigned To: tpunt
 [2016-01-12 07:35 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=391b73b48431aa016e396dc9ad9742e9b1f71cbf
Log: update NEWS for fixed bug #71132, fixed bug #71197
 [2016-01-12 07:35 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:34 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=391b73b48431aa016e396dc9ad9742e9b1f71cbf
Log: update NEWS for fixed bug #71132, fixed bug #71197
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 21 18:01:40 2017 UTC