|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75208 signed integer overflow in zend_strtod (Zend/zend_strtod.c)
Submitted: 2017-09-14 09:35 UTC Modified: 2017-09-14 12:04 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: geeknik at protonmail dot ch Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.2Git-2017-09-14 (Git) OS: Debian 8 x64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-09-14 09:35 UTC] geeknik at protonmail dot ch
Undefined behavior in zend_strtod() triggered while fuzzing 0ee92ae.

Test script:
php -r 'var_dump(json_decode('0E2400000000'));'

Actual result:
/root/php-src/Zend/zend_strtod.c:2708:12: runtime error: signed integer overflow: 10 * 240000000 cannot be represented in type 'int'
    #0 0x165763b in zend_strtod /root/php-src/Zend/zend_strtod.c:2708:12
    #1 0x146c741 in lex_scan /root/php-src/Zend/zend_language_scanner.l:1742:2
    #2 0x14ca10a in zendlex /root/php-src/Zend/zend_compile.c:1721:11
    #3 0x143e16b in zendparse /root/php-src/Zend/zend_language_parser.c:4227:16
    #4 0x144dbb2 in zend_compile /root/php-src/Zend/zend_language_scanner.l:585:7
    #5 0x145010c in compile_string /root/php-src/Zend/zend_language_scanner.l:767:14
    #6 0x154c4d3 in zend_eval_stringl /root/php-src/Zend/zend_execute_API.c:1068:17
    #7 0x154d12b in zend_eval_stringl_ex /root/php-src/Zend/zend_execute_API.c:1121:11
    #8 0x154d12b in zend_eval_string_ex /root/php-src/Zend/zend_execute_API.c:1132
    #9 0x1a28558 in do_cli /root/php-src/sapi/cli/php_cli.c:1042:8
    #10 0x1a26227 in main /root/php-src/sapi/cli/php_cli.c:1404:18
    #11 0x7f686738eb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
    #12 0x44159b in _start (/root/php-src/sapi/cli/php+0x44159b)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/php-src/Zend/zend_strtod.c:2708:12


fix-gdtoa-overflow-2.diff (last revision 2017-09-14 12:28 UTC by
fix-gdtoa-overflow.diff (last revision 2017-09-14 12:12 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-14 11:45 UTC]
This is a bug in some really old piece of code (gdtoa, [David M. Gay's floating-point conversion library](, present in PHP, but also many C libraries.

The same issue can be reproduced on every system using it.

strtod(`0E2400000000`, NULL) returns 0, and doesn't set errno.

I'm going to send a patch upstream, but since PHP doesn't bother checking errno after calling strtod() (intentionally: ), this isn't going to improve the situation much.

Why is PHP intentionally ignoring overflows?
 [2017-09-14 12:04 UTC]
> strtod(`0E2400000000`, NULL) returns 0, and doesn't set errno.

Isn't that the correct behavior? 0e{anything} should still be zero, right?

Regarding the missing check for errno, the intention here is to interpret something like 1e1000 as INF.
 [2017-09-14 12:12 UTC]
The following patch has been added/updated:

Patch Name: fix-gdtoa-overflow.diff
Revision:   1505391121
 [2017-09-14 12:17 UTC]
0 is a special case, but we're still triggering an undefined behavior here.

Silently reducing to 1e1000 to INF can be unexpected as well. Applications may not expect 1e1000 to be equal to 1e10000 without at least a warning.
 [2017-09-14 12:28 UTC]
The following patch has been added/updated:

Patch Name: fix-gdtoa-overflow-2.diff
Revision:   1505392085
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Dec 02 14:01:29 2023 UTC