PHP :: Bug #75208 :: signed integer overflow in zend_strtod (Zend/zend

Bug #75208

signed integer overflow in zend_strtod (Zend/zend_strtod.c)

Submitted:

2017-09-14 09:35 UTC

Modified:

2017-09-14 12:04 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

geeknik at protonmail dot ch

Assigned:

Status:

Open

Package:

Reproducible crash

PHP Version:

7.2Git-2017-09-14 (Git)

OS:

Debian 8 x64

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!

Your email address: MUST BE VALID
Solve the problem: 37 - 23 = ?
Subscribe to this entry?

[2017-09-14 09:35 UTC] geeknik at protonmail dot ch

Description:
------------
Undefined behavior in zend_strtod() triggered while fuzzing 0ee92ae.

Test script:
---------------
php -r 'var_dump(json_decode('0E2400000000'));'

Actual result:
--------------
/root/php-src/Zend/zend_strtod.c:2708:12: runtime error: signed integer overflow: 10 * 240000000 cannot be represented in type 'int'
    #0 0x165763b in zend_strtod /root/php-src/Zend/zend_strtod.c:2708:12
    #1 0x146c741 in lex_scan /root/php-src/Zend/zend_language_scanner.l:1742:2
    #2 0x14ca10a in zendlex /root/php-src/Zend/zend_compile.c:1721:11
    #3 0x143e16b in zendparse /root/php-src/Zend/zend_language_parser.c:4227:16
    #4 0x144dbb2 in zend_compile /root/php-src/Zend/zend_language_scanner.l:585:7
    #5 0x145010c in compile_string /root/php-src/Zend/zend_language_scanner.l:767:14
    #6 0x154c4d3 in zend_eval_stringl /root/php-src/Zend/zend_execute_API.c:1068:17
    #7 0x154d12b in zend_eval_stringl_ex /root/php-src/Zend/zend_execute_API.c:1121:11
    #8 0x154d12b in zend_eval_string_ex /root/php-src/Zend/zend_execute_API.c:1132
    #9 0x1a28558 in do_cli /root/php-src/sapi/cli/php_cli.c:1042:8
    #10 0x1a26227 in main /root/php-src/sapi/cli/php_cli.c:1404:18
    #11 0x7f686738eb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
    #12 0x44159b in _start (/root/php-src/sapi/cli/php+0x44159b)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/php-src/Zend/zend_strtod.c:2708:12

Patches

fix-gdtoa-overflow-2.diff (last revision 2017-09-14 12:28 UTC by jedisct1@php.net)
fix-gdtoa-overflow.diff (last revision 2017-09-14 12:12 UTC by jedisct1@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-09-14 11:45 UTC] jedisct1@php.net

This is a bug in some really old piece of code (gdtoa, [David M. Gay's floating-point conversion library](http://www.netlib.org/fp/)), present in PHP, but also many C libraries.

The same issue can be reproduced on every system using it.

strtod(`0E2400000000`, NULL) returns 0, and doesn't set errno.

I'm going to send a patch upstream, but since PHP doesn't bother checking errno after calling strtod() (intentionally: https://github.com/php/php-src/blob/ccf74422a9f6f40981acd44fe76450cdad4942b2/Zend/zend_language_scanner.l#L1641 ), this isn't going to improve the situation much.

Why is PHP intentionally ignoring overflows?

[2017-09-14 12:04 UTC] nikic@php.net

> strtod(`0E2400000000`, NULL) returns 0, and doesn't set errno.

Isn't that the correct behavior? 0e{anything} should still be zero, right?

Regarding the missing check for errno, the intention here is to interpret something like 1e1000 as INF.

[2017-09-14 12:12 UTC] jedisct1@php.net

The following patch has been added/updated:

Patch Name: fix-gdtoa-overflow.diff
Revision:   1505391121
URL:        https://bugs.php.net/patch-display.php?bug=75208&patch=fix-gdtoa-overflow.diff&revision=1505391121

[2017-09-14 12:17 UTC] jedisct1@php.net

0 is a special case, but we're still triggering an undefined behavior here.

Silently reducing to 1e1000 to INF can be unexpected as well. Applications may not expect 1e1000 to be equal to 1e10000 without at least a warning.

[2017-09-14 12:28 UTC] jedisct1@php.net

The following patch has been added/updated:

Patch Name: fix-gdtoa-overflow-2.diff
Revision:   1505392085
URL:        https://bugs.php.net/patch-display.php?bug=75208&patch=fix-gdtoa-overflow-2.diff&revision=1505392085

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 06:01:28 2024 UTC