|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81368 Possible divide by zero bug in zend_inference.c
Submitted: 2021-08-17 11:48 UTC Modified: 2021-08-17 13:15 UTC
From: yguoaz at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: master-Git-2021-08-17 (Git) OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
42 + 10 = ?
Subscribe to this entry?

 [2021-08-17 11:48 UTC] yguoaz at gmail dot com
In the file Zend/Optimizer/zend_inference.c, the function zend_inference_calc_binary_op_range has the following code:

case ZEND_DIV:
  if (OP1_HAS_RANGE() && OP2_HAS_RANGE()) {
    op1_min = OP1_MIN_RANGE();
    op2_min = OP2_MIN_RANGE();
    op1_max = OP1_MAX_RANGE();
    op2_max = OP2_MAX_RANGE();
    if (op2_min <= 0 && op2_max >= 0) {
    float_div(op1_min, op2_min, &t1, &t1_);
    float_div(op1_min, op2_max, &t2, &t2_);
    float_div(op1_max, op2_min, &t3, &t3_);
    float_div(op1_max, op2_max, &t4, &t4_); 

The function float_div uses its second argument as a divisor. If only one of
the variables from op2_min and op2_max is zero, the checking can be bypassed
and will lead to a divide by zero problem.

Here is the link to the related code in github:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-17 12:36 UTC]
-Type: Security +Type: Bug
 [2021-08-17 12:39 UTC]
-Status: Open +Status: Feedback
 [2021-08-17 12:39 UTC]
Doesn't the op2_min/op2_max check before that exclude the possibility of a division by zero?

Can you share an example that would trigger a division by zero in this code?
 [2021-08-17 13:00 UTC] yguoaz at gmail dot com
-Status: Feedback +Status: Open
 [2021-08-17 13:00 UTC] yguoaz at gmail dot com
I think the op2_min/op2_max check before is not sufficient.
For example, op2_min==0 && op2_max < 0 can bypass it.

Can this happen? This issue is found by inspection. Thus I do not have a test case here.
 [2021-08-17 13:06 UTC]
-Status: Open +Status: Feedback
 [2021-08-17 13:06 UTC]
op2_min <= op2_max is a general precondition. In additional, the check enforces !(op2_min <= 0 && op2_max >= 0), or equivalently op2_min > 0 || op2_max < 0.

If op2_min > 0 then also op2_max >= op2_min > 0. If op2_max < 0 then also op2_min <= op2_max < 0.

As such, neither op2_min or op2_max can be zero. Does that sound right?
 [2021-08-17 13:09 UTC] yguoaz at gmail dot com
-Status: Feedback +Status: Open
 [2021-08-17 13:09 UTC] yguoaz at gmail dot com
Thanks for the clarification. It is OK then.
 [2021-08-17 13:15 UTC]
-Status: Open +Status: Not a bug
 [2021-08-17 13:15 UTC]
Closing per above comments.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 24 15:01:29 2024 UTC