On 1/16/2011 4:18 PM, Tommy Pham wrote: >> -----Original Message----- >> From: Tommy Pham [mailto:tommyhp2@xxxxxxxxx] >> Sent: Thursday, January 06, 2011 5:49 PM >> To: 'Daevid Vincent' >> Cc: 'php-general@xxxxxxxxxxxxx' >> Subject: RE: [security] PHP has DoS vuln with large decimal points >> >>> -----Original Message----- >>> From: Daevid Vincent [mailto:daevid@xxxxxxxxxx] >>> Sent: Wednesday, January 05, 2011 11:36 AM >>> To: php-general@xxxxxxxxxxxxx >>> Subject: [security] PHP has DoS vuln with large decimal points >>> >>> The error in the way floating-point and double-precision numbers are >>> handled sends 32-bit systems running Linux, Windows, and FreeBSD into >>> an infinite loop that consumes 100 percent of their CPU's resources. >>> Developers are still investigating, but they say the bug appears to >>> affect versions 5.2 and 5.3 of PHP. They say it could be trivially >>> exploited on many websites to cause them to crash by adding long >> numbers to certain URLs. >>> >>> <?php $d = 2.2250738585072011e-308; ?> >>> >>> The crash is also triggered when the number is expressed without >>> scientific notation, with 324 decimal places. >>> >>> Read on... >>> >>> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ >>> >>> -- >>> Daevid Vincent >>> http://daevid.com >>> >>> There are only 11 types of people in this world. Those that think >>> binary jokes are funny, those that don't, and those that don't know > binary. >>> >> >> "The size of a float is platform-dependent, although a maximum of ~1.8e308 >> with a precision of roughly 14 decimal digits is a common value (the 64 > bit >> IEEE format)." From [1]. The example given is clearly over the limit > within >> the PHP core. >> >> This sounds like what I was mentioning before, in a different thread, > about >> URL hacking to induce buffer overflow. >> >> Regards, >> Tommy >> >> [1] http://www.php.net/manual/en/language.types.float.php > > I found something really weird while coding a validator for floating > protection protection. > > Case 1 - known DoS / PHP hangs in infinite loop: > > $value = '2.2250738585072011e-308'; > var_dump(floatval($value)); > > Case 2 - works fine: > > $value = '2.2250738585072011e-307'; > or > $value = '2.2250738585072011e-309'; > or > $value = '2.225073858507201e-308'; > > var_dump(floatval($value)); > > I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP > FastCGI. I haven't test it on *nix platform yet. Could someone please > confirm this? > > Thanks, > Tommy > > Seems to work fine for me. $ cat float.php <?php echo "Example 1\n"; $value = 2.2250738585072011e-307; var_dump(floatval($value)); var_dump($value); echo "Example 2\n"; $value = 2.2250738585072011e-308; var_dump(floatval($value)); var_dump($value); echo "Example 3\n"; $value = 2.2250738585072011e-309; var_dump(floatval($value)); var_dump($value); echo "Example 4\n"; $value = 2.225073858507201e-308; var_dump(floatval($value)); var_dump($value); ?> $ php -f float.php Example 1 float(2.2250738585072E-307) float(2.2250738585072E-307) Example 2 float(2.2250738585072E-308) float(2.2250738585072E-308) Example 3 float(2.2250738585072E-309) float(2.2250738585072E-309) Example 4 float(2.2250738585072E-308) float(2.2250738585072E-308) $ uname -a OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386 $ php -v PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project No infinite loop. I like my system... :) Jim Lucas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
