Bug 1305504 - php: Large negative number as input to round() causes segfault on 64-bit builds
php: Large negative number as input to round() causes segfault on 64-bit builds
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1305565
Blocks: 1305564
  Show dependency treegraph
Reported: 2016-02-08 07:53 EST by Adam Mariš
Modified: 2016-10-12 07:57 EDT (History)
13 users (show)

See Also:
Fixed In Version: php 5.6.18, php 7.0.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-10-12 07:57:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-08 07:53:19 EST
It was reported that Supplying a large negative number as the second parameter to round() reliably produces a segmentation fault on 64-bit builds.

Upstream bug:


Upstream patch:

Comment 1 Adam Mariš 2016-02-08 10:13:45 EST
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1305565]
Comment 2 Remi Collet 2016-02-08 10:21:19 EST
Not secutity (need specially crafted code)
Comment 3 Tomas Hoger 2016-10-12 07:57:49 EDT
(In reply to Remi Collet from comment #2)
> Not secutity (need specially crafted code)

It also does not seem to be reproducible with our PHP builds.  Additionally, the crash backtrace in the upstream bug suggests some compiler / optimization issue.  Crash happens in the php_intpow10() function:

static inline double php_intpow10(int power) {
	static const double powers[] = {
		1e0,  1e1,  1e2,  1e3,  1e4,  1e5,  1e6,  1e7,
		1e8,  1e9,  1e10, 1e11, 1e12, 1e13, 1e14, 1e15,
		1e16, 1e17, 1e18, 1e19, 1e20, 1e21, 1e22};

	/* Not in lookup table */
	if (power < 0 || power > 22) {
		return pow(10.0, (double)power);
	return powers[power];

According to the backtrace, the function is called with power=-2147483648.  Hence the 'return powers[power]' where crash is reported should not be reached and the function should rather call 'return pow(10.0, (double)power)'.

Note You need to log in before you can comment on or make changes to this bug.