> -----Original Message----- > From: Tommy Pham [mailto:tommyhp2@xxxxxxxxx] > Sent: Thursday, January 06, 2011 5:49 PM > To: 'Daevid Vincent' > Cc: 'php-general@xxxxxxxxxxxxx' > Subject: RE: [security] PHP has DoS vuln with large decimal points > > > -----Original Message----- > > From: Daevid Vincent [mailto:daevid@xxxxxxxxxx] > > Sent: Wednesday, January 05, 2011 11:36 AM > > To: php-general@xxxxxxxxxxxxx > > Subject: [security] PHP has DoS vuln with large decimal points > > > > The error in the way floating-point and double-precision numbers are > > handled sends 32-bit systems running Linux, Windows, and FreeBSD into > > an infinite loop that consumes 100 percent of their CPU's resources. > > Developers are still investigating, but they say the bug appears to > > affect versions 5.2 and 5.3 of PHP. They say it could be trivially > > exploited on many websites to cause them to crash by adding long > numbers to certain URLs. > > > > <?php $d = 2.2250738585072011e-308; ?> > > > > The crash is also triggered when the number is expressed without > > scientific notation, with 324 decimal places. > > > > Read on... > > > > http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ > > > > -- > > Daevid Vincent > > http://daevid.com > > > > There are only 11 types of people in this world. Those that think > > binary jokes are funny, those that don't, and those that don't know binary. > > > > "The size of a float is platform-dependent, although a maximum of ~1.8e308 > with a precision of roughly 14 decimal digits is a common value (the 64 bit > IEEE format)." From [1]. The example given is clearly over the limit within > the PHP core. > > This sounds like what I was mentioning before, in a different thread, about > URL hacking to induce buffer overflow. > > Regards, > Tommy > > [1] http://www.php.net/manual/en/language.types.float.php I found something really weird while coding a validator for floating protection protection. Case 1 - known DoS / PHP hangs in infinite loop: $value = '2.2250738585072011e-308'; var_dump(floatval($value)); Case 2 - works fine: $value = '2.2250738585072011e-307'; or $value = '2.2250738585072011e-309'; or $value = '2.225073858507201e-308'; var_dump(floatval($value)); I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP FastCGI. I haven't test it on *nix platform yet. Could someone please confirm this? Thanks, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
