number_format() crashes with large numbers.

Bug #27678

Submitted:

2004-03-24 14:27 UTC

Modified:

2005-12-26 15:49 UTC

Votes:	4
Avg. Score:	3.8 ± 0.8
Reproduced:	4 of 4 (100.0%)
Same Version:	2 (50.0%)
Same OS:	2 (50.0%)

From:

morten_odegaard at broadpark dot no

Assigned:

helly (profile)

Status:

Closed

Package:

Math related

PHP Version:

5CVS, 4CVS (2005-12-26) (cvs)

OS:

Private report:

CVE-ID:

None

[2004-03-24 14:27 UTC] morten_odegaard at broadpark dot no

Description:
------------
number_format() seems to be having problems with large numbers. I've found two different bugs, where one can segfault Apache.
They are tested on both 4.3.4 and 5.0RC1 on Linux, and 4.3.4 on Windows. Bugs happens in all of them.

--

Calling the function on numbers higher than (and including) 1e71, it will display a wrong result. Some numbers will have one 0 replaced with a 7, while some will be a digit too short, but be very close to the number it is supposed to show.

--

When calling number_format() on numbers bigger than (and including) 1e80, it will either return nothing or crash, depending on the 'decimals' parameter.

If 'decimals' is bigger then 0, then it will return nothing.

If 'decimals' is lower then 1, Apache will segfault.

Reproduce code:
---------------
$ php -r "echo number_format(1e71, 0, '', ' ');"
100 000 000 000 000 070 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000

$ php -r "echo number_format(1e72, 0, '', ' ');"
999 999 999 999 999 600 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000


$ php -r "echo number_format(1e80, 3, '', ' ');"
$ php -r "echo number_format(1e80, 0, '', ' ');"
Segmentation fault

Expected result:
----------------
100 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000

1 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000


10 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000.000

10 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000

Actual result:
--------------
Bug 1: Wrong numbers, as shown above.
Bug 2: Nothing or a segfault, as show above.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-12-12 23:52 UTC] sniper@php.net

(gdb) run -r "echo number_format(1e80, 3, '', ' ');"
Starting program: /www/php-modules/bin/php -r "echo number_format(1e80, 3, '', ' ');"
[New Thread 1087948032 (LWP 31942)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1087948032 (LWP 31942)]
0x4207c0ad in memmove () from /lib/tls/libc.so.6
(gdb) bt
#0  0x4207c0ad in memmove () from /lib/tls/libc.so.6
#1  0xbfffd8e8 in ?? ()
#2  0x08259347 in ap_php_cvt (arg=Cannot access memory at address 0xffffffef
) at /usr/src/web/php/php4/main/snprintf.c:294
Cannot access memory at address 0xffffffff

[2005-03-30 10:58 UTC] kameshj at fastmail dot fm

Regarding the segfault,
In main/snprintf.c:ap_php_cvt has a call to memmove(&buf[mvl], &buf[0], NDIG-mvl-1); NDIG-mvl-1 becomes -1 in the mentioned defect of double being 1e80, decimals 3, dec_sep '' and thousand_sep ' '.
As I could see php recognizes a float as hight as 1e308, I feel NDIG should be set accordingly to higher value let us say 310 or 311.

[2005-11-01 11:31 UTC] sniper@php.net

Marcus, can you check this out please?

[2005-12-21 23:33 UTC] sniper@php.net

3rd reminder for Marcus: Check this out after Christmas 2005 but before New Year's eve 2005-2006 :)

[2005-12-25 17:27 UTC] sniper@php.net

Marcus: It's after Christmas and before New Year's eve!
Fix this.

[2005-12-26 15:49 UTC] helly@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.