> -----Original Message----- > From: Jim Lucas [mailto:lists@xxxxxxxxx] > Sent: Sunday, January 16, 2011 6:54 PM > To: Tommy Pham > Cc: php-general@xxxxxxxxxxxxx > Subject: Re: [security] PHP has DoS vuln with large decimal points > > On 1/16/2011 4:18 PM, Tommy Pham wrote: > >> -----Original Message----- > >> From: Tommy Pham [mailto:tommyhp2@xxxxxxxxx] > >> Sent: Thursday, January 06, 2011 5:49 PM > >> To: 'Daevid Vincent' > >> Cc: 'php-general@xxxxxxxxxxxxx' > >> Subject: RE: [security] PHP has DoS vuln with large decimal > >> points > >> > >>> -----Original Message----- > >>> From: Daevid Vincent [mailto:daevid@xxxxxxxxxx] > >>> Sent: Wednesday, January 05, 2011 11:36 AM > >>> To: php-general@xxxxxxxxxxxxx > >>> Subject: [security] PHP has DoS vuln with large decimal points > >>> > >>> The error in the way floating-point and double-precision numbers are > >>> handled sends 32-bit systems running Linux, Windows, and FreeBSD > >>> into an infinite loop that consumes 100 percent of their CPU's resources. > >>> Developers are still investigating, but they say the bug appears to > >>> affect versions 5.2 and 5.3 of PHP. They say it could be trivially > >>> exploited on many websites to cause them to crash by adding long > >> numbers to certain URLs. > >>> > >>> <?php $d = 2.2250738585072011e-308; ?> > >>> > >>> The crash is also triggered when the number is expressed without > >>> scientific notation, with 324 decimal places. > >>> > >>> Read on... > >>> > >>> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ > >>> > >>> -- > >>> Daevid Vincent > >>> http://daevid.com > >>> > >>> There are only 11 types of people in this world. Those that think > >>> binary jokes are funny, those that don't, and those that don't know > > binary. > >>> > >> > >> "The size of a float is platform-dependent, although a maximum of > >> ~1.8e308 with a precision of roughly 14 decimal digits is a common > >> value (the 64 > > bit > >> IEEE format)." From [1]. The example given is clearly over the > >> limit > > within > >> the PHP core. > >> > >> This sounds like what I was mentioning before, in a different thread, > > about > >> URL hacking to induce buffer overflow. > >> > >> Regards, > >> Tommy > >> > >> [1] http://www.php.net/manual/en/language.types.float.php > > > > I found something really weird while coding a validator for floating > > protection protection. > > > > Case 1 - known DoS / PHP hangs in infinite loop: > > > > $value = '2.2250738585072011e-308'; > > var_dump(floatval($value)); > > > > Case 2 - works fine: > > > > $value = '2.2250738585072011e-307'; > > or > > $value = '2.2250738585072011e-309'; > > or > > $value = '2.225073858507201e-308'; > > > > var_dump(floatval($value)); > > > > I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with > PHP > > FastCGI. I haven't test it on *nix platform yet. Could someone please > > confirm this? > > > > Thanks, > > Tommy > > > > > > Seems to work fine for me. > > $ cat float.php > <?php > > echo "Example 1\n"; > $value = 2.2250738585072011e-307; > var_dump(floatval($value)); > var_dump($value); > > echo "Example 2\n"; > $value = 2.2250738585072011e-308; > var_dump(floatval($value)); > var_dump($value); > > echo "Example 3\n"; > $value = 2.2250738585072011e-309; > var_dump(floatval($value)); > var_dump($value); > > echo "Example 4\n"; > $value = 2.225073858507201e-308; > var_dump(floatval($value)); > var_dump($value); > > ?> > $ php -f float.php > Example 1 > float(2.2250738585072E-307) > float(2.2250738585072E-307) > Example 2 > float(2.2250738585072E-308) > float(2.2250738585072E-308) > Example 3 > float(2.2250738585072E-309) > float(2.2250738585072E-309) > Example 4 > float(2.2250738585072E-308) > float(2.2250738585072E-308) > > $ uname -a > OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386 $ php -v PHP 5.2.5 with > Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50) Copyright (c) 1997- > 2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend > Technologies > with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project > > No infinite loop. I like my system... :) > > Jim Lucas Hi Jim, Thanks for the confirmation. It appears that the bug is with the official binary Windows distribution PHP 5.3.3 NTS and most likely with 5.3.3. I just upgrade to NTS 5.3.5 and works fine now. It also runs fine against unofficial PHP 5.2.5 x64 Windows ISAPI. Thanks, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
