php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75208 signed integer overflow in zend_strtod (Zend/zend_strtod.c)
Submitted: 2017-09-14 09:35 UTC Modified: 2017-09-14 12:04 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: geeknik at protonmail dot ch Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.2Git-2017-09-14 (Git) OS: Debian 8 x64
Private report: No CVE-ID: None
 [2017-09-14 09:35 UTC] geeknik at protonmail dot ch
Description:
------------
Undefined behavior in zend_strtod() triggered while fuzzing 0ee92ae.

Test script:
---------------
php -r 'var_dump(json_decode('0E2400000000'));'

Actual result:
--------------
/root/php-src/Zend/zend_strtod.c:2708:12: runtime error: signed integer overflow: 10 * 240000000 cannot be represented in type 'int'
    #0 0x165763b in zend_strtod /root/php-src/Zend/zend_strtod.c:2708:12
    #1 0x146c741 in lex_scan /root/php-src/Zend/zend_language_scanner.l:1742:2
    #2 0x14ca10a in zendlex /root/php-src/Zend/zend_compile.c:1721:11
    #3 0x143e16b in zendparse /root/php-src/Zend/zend_language_parser.c:4227:16
    #4 0x144dbb2 in zend_compile /root/php-src/Zend/zend_language_scanner.l:585:7
    #5 0x145010c in compile_string /root/php-src/Zend/zend_language_scanner.l:767:14
    #6 0x154c4d3 in zend_eval_stringl /root/php-src/Zend/zend_execute_API.c:1068:17
    #7 0x154d12b in zend_eval_stringl_ex /root/php-src/Zend/zend_execute_API.c:1121:11
    #8 0x154d12b in zend_eval_string_ex /root/php-src/Zend/zend_execute_API.c:1132
    #9 0x1a28558 in do_cli /root/php-src/sapi/cli/php_cli.c:1042:8
    #10 0x1a26227 in main /root/php-src/sapi/cli/php_cli.c:1404:18
    #11 0x7f686738eb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
    #12 0x44159b in _start (/root/php-src/sapi/cli/php+0x44159b)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/php-src/Zend/zend_strtod.c:2708:12

Patches

fix-gdtoa-overflow-2.diff (last revision 2017-09-14 12:28 UTC by jedisct1@php.net)
fix-gdtoa-overflow.diff (last revision 2017-09-14 12:12 UTC by jedisct1@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-14 11:45 UTC] jedisct1@php.net
This is a bug in some really old piece of code (gdtoa, [David M. Gay's floating-point conversion library](http://www.netlib.org/fp/)), present in PHP, but also many C libraries.

The same issue can be reproduced on every system using it.

strtod(`0E2400000000`, NULL) returns 0, and doesn't set errno.

I'm going to send a patch upstream, but since PHP doesn't bother checking errno after calling strtod() (intentionally: https://github.com/php/php-src/blob/ccf74422a9f6f40981acd44fe76450cdad4942b2/Zend/zend_language_scanner.l#L1641 ), this isn't going to improve the situation much.

Why is PHP intentionally ignoring overflows?
 [2017-09-14 12:04 UTC] nikic@php.net
> strtod(`0E2400000000`, NULL) returns 0, and doesn't set errno.

Isn't that the correct behavior? 0e{anything} should still be zero, right?

Regarding the missing check for errno, the intention here is to interpret something like 1e1000 as INF.
 [2017-09-14 12:12 UTC] jedisct1@php.net
The following patch has been added/updated:

Patch Name: fix-gdtoa-overflow.diff
Revision:   1505391121
URL:        https://bugs.php.net/patch-display.php?bug=75208&patch=fix-gdtoa-overflow.diff&revision=1505391121
 [2017-09-14 12:17 UTC] jedisct1@php.net
0 is a special case, but we're still triggering an undefined behavior here.

Silently reducing to 1e1000 to INF can be unexpected as well. Applications may not expect 1e1000 to be equal to 1e10000 without at least a warning.
 [2017-09-14 12:28 UTC] jedisct1@php.net
The following patch has been added/updated:

Patch Name: fix-gdtoa-overflow-2.diff
Revision:   1505392085
URL:        https://bugs.php.net/patch-display.php?bug=75208&patch=fix-gdtoa-overflow-2.diff&revision=1505392085
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 15:01:30 2024 UTC