It was reported that Supplying a large negative number as the second parameter to round() reliably produces a segmentation fault on 64-bit builds. Upstream bug: https://bugs.php.net/bug.php?id=71201 Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=0d822f6df946764f3f0348b82efae2e1eaa83aa0
Created php tracking bugs for this issue: Affects: fedora-all [bug 1305565]
Not secutity (need specially crafted code)
(In reply to Remi Collet from comment #2) > Not secutity (need specially crafted code) It also does not seem to be reproducible with our PHP builds. Additionally, the crash backtrace in the upstream bug suggests some compiler / optimization issue. Crash happens in the php_intpow10() function: static inline double php_intpow10(int power) { static const double powers[] = { 1e0, 1e1, 1e2, 1e3, 1e4, 1e5, 1e6, 1e7, 1e8, 1e9, 1e10, 1e11, 1e12, 1e13, 1e14, 1e15, 1e16, 1e17, 1e18, 1e19, 1e20, 1e21, 1e22}; /* Not in lookup table */ if (power < 0 || power > 22) { return pow(10.0, (double)power); } return powers[power]; } According to the backtrace, the function is called with power=-2147483648. Hence the 'return powers[power]' where crash is reported should not be reached and the function should rather call 'return pow(10.0, (double)power)'.