> -----Original Message-----
> From: Jim Lucas [mailto:li...@cmsws.com]
> Sent: Sunday, January 16, 2011 6:54 PM
> To: Tommy Pham
> Cc: email@example.com
> Subject: Re: [PHP] [security] PHP has DoS vuln with large decimal points
> On 1/16/2011 4:18 PM, Tommy Pham wrote:
> >> -----Original Message-----
> >> From: Tommy Pham [mailto:tommy...@gmail.com]
> >> Sent: Thursday, January 06, 2011 5:49 PM
> >> To: 'Daevid Vincent'
> >> Cc: 'firstname.lastname@example.org'
> >> Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal
> >> points
> >>> -----Original Message-----
> >>> From: Daevid Vincent [mailto:dae...@daevid.com]
> >>> Sent: Wednesday, January 05, 2011 11:36 AM
> >>> To: email@example.com
> >>> Subject: [PHP] [security] PHP has DoS vuln with large decimal points
> >>> The error in the way floating-point and double-precision numbers are
> >>> handled sends 32-bit systems running Linux, Windows, and FreeBSD
> >>> into an infinite loop that consumes 100 percent of their CPU's
> >>> Developers are still investigating, but they say the bug appears to
> >>> affect versions 5.2 and 5.3 of PHP. They say it could be trivially
> >>> exploited on many websites to cause them to crash by adding long
> >> numbers to certain URLs.
> >>> <?php $d = 2.2250738585072011e-308; ?>
> >>> The crash is also triggered when the number is expressed without
> >>> scientific notation, with 324 decimal places.
> >>> Read on...
> >>> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/
> >>> --
> >>> Daevid Vincent
> >>> http://daevid.com
> >>> There are only 11 types of people in this world. Those that think
> >>> binary jokes are funny, those that don't, and those that don't know
> > binary.
> >> "The size of a float is platform-dependent, although a maximum of
> >> ~1.8e308 with a precision of roughly 14 decimal digits is a common
> >> value (the 64
> > bit
> >> IEEE format)." From . The example given is clearly over the
> >> limit
> > within
> >> the PHP core.
> >> This sounds like what I was mentioning before, in a different thread,
> > about
> >> URL hacking to induce buffer overflow.
> >> Regards,
> >> Tommy
> >>  http://www.php.net/manual/en/language.types.float.php
> > I found something really weird while coding a validator for floating
> > protection protection.
> > Case 1 - known DoS / PHP hangs in infinite loop:
> > $value = '2.2250738585072011e-308';
> > var_dump(floatval($value));
> > Case 2 - works fine:
> > $value = '2.2250738585072011e-307';
> > or
> > $value = '2.2250738585072011e-309';
> > or
> > $value = '2.225073858507201e-308';
> > var_dump(floatval($value));
> > I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with
> > FastCGI. I haven't test it on *nix platform yet. Could someone please
> > confirm this?
> > Thanks,
> > Tommy
> Seems to work fine for me.
> $ cat float.php
> echo "Example 1\n";
> $value = 2.2250738585072011e-307;
> echo "Example 2\n";
> $value = 2.2250738585072011e-308;
> echo "Example 3\n";
> $value = 2.2250738585072011e-309;
> echo "Example 4\n";
> $value = 2.225073858507201e-308;
> $ php -f float.php
> Example 1
> Example 2
> Example 3
> Example 4
> $ uname -a
> OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386 $ php -v PHP 5.2.5 with
> Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50) Copyright (c)
> 2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend
> with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project
> No infinite loop. I like my system... :)
> Jim Lucas
Thanks for the confirmation. It appears that the bug is with the official
binary Windows distribution PHP 5.3.3 NTS and most likely with 5.3.3. I
just upgrade to NTS 5.3.5 and works fine now. It also runs fine against
unofficial PHP 5.2.5 x64 Windows ISAPI.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php