php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81368 Possible divide by zero bug in zend_inference.c
Submitted: 2021-08-17 11:48 UTC Modified: 2021-08-17 13:15 UTC
From: yguoaz at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: master-Git-2021-08-17 (Git) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yguoaz at gmail dot com
New email:
PHP Version: OS:

 

 [2021-08-17 11:48 UTC] yguoaz at gmail dot com 
Description:
------------
In the file Zend/Optimizer/zend_inference.c, the function zend_inference_calc_binary_op_range has the following code:

case ZEND_DIV:
  if (OP1_HAS_RANGE() && OP2_HAS_RANGE()) {
    op1_min = OP1_MIN_RANGE();
    op2_min = OP2_MIN_RANGE();
    op1_max = OP1_MAX_RANGE();
    op2_max = OP2_MAX_RANGE();
    if (op2_min <= 0 && op2_max >= 0) {
      break;
    }
    
    float_div(op1_min, op2_min, &t1, &t1_);
    float_div(op1_min, op2_max, &t2, &t2_);
    float_div(op1_max, op2_min, &t3, &t3_);
    float_div(op1_max, op2_max, &t4, &t4_); 

The function float_div uses its second argument as a divisor. If only one of
the variables from op2_min and op2_max is zero, the checking can be bypassed
and will lead to a divide by zero problem.

Here is the link to the related code in github:
https://github.com/php/php-src/blob/be2df43b08cf13b9a5791ff5eb827a125115ef52/Zend/Optimizer/zend_inference.c#L674

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-17 12:36 UTC] nikic@php.net
-Type: Security +Type: Bug
 [2021-08-17 12:39 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2021-08-17 12:39 UTC] nikic@php.net 
Doesn't the op2_min/op2_max check before that exclude the possibility of a division by zero?

Can you share an example that would trigger a division by zero in this code?
 [2021-08-17 13:00 UTC] yguoaz at gmail dot com
-Status: Feedback +Status: Open
 [2021-08-17 13:00 UTC] yguoaz at gmail dot com 
I think the op2_min/op2_max check before is not sufficient.
For example, op2_min==0 && op2_max < 0 can bypass it.

Can this happen? This issue is found by inspection. Thus I do not have a test case here.
 [2021-08-17 13:06 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2021-08-17 13:06 UTC] nikic@php.net 
op2_min <= op2_max is a general precondition. In additional, the check enforces !(op2_min <= 0 && op2_max >= 0), or equivalently op2_min > 0 || op2_max < 0.

If op2_min > 0 then also op2_max >= op2_min > 0. If op2_max < 0 then also op2_min <= op2_max < 0.

As such, neither op2_min or op2_max can be zero. Does that sound right?
 [2021-08-17 13:09 UTC] yguoaz at gmail dot com
-Status: Feedback +Status: Open
 [2021-08-17 13:09 UTC] yguoaz at gmail dot com 
Thanks for the clarification. It is OK then.
 [2021-08-17 13:15 UTC] nikic@php.net
-Status: Open +Status: Not a bug
 [2021-08-17 13:15 UTC] nikic@php.net 
Closing per above comments.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC