On 1/16/2011 4:18 PM, Tommy Pham wrote:
>> -----Original Message-----
>> From: Tommy Pham [mailto:tommy...@gmail.com]
>> Sent: Thursday, January 06, 2011 5:49 PM
>> To: 'Daevid Vincent'
>> Cc: 'php-general@lists.php.net'
>> Subject: RE: [PHP] [security] PHP has DoS vuln with large decimal points
>>
>>> -----Original Message-----
>>> From: Daevid Vincent [mailto:dae...@daevid.com]
>>> Sent: Wednesday, January 05, 2011 11:36 AM
>>> To: php-general@lists.php.net
>>> Subject: [PHP] [security] PHP has DoS vuln with large decimal points
>>>
>>> The error in the way floating-point and double-precision numbers are
>>> handled sends 32-bit systems running Linux, Windows, and FreeBSD into
>>> an infinite loop that consumes 100 percent of their CPU's resources.
>>> Developers are still investigating, but they say the bug appears to
>>> affect versions 5.2 and 5.3 of PHP. They say it could be trivially
>>> exploited on many websites to cause them to crash by adding long
>> numbers to certain URLs.
>>>
>>> <?php $d = 2.2250738585072011e-308; ?>
>>>
>>> The crash is also triggered when the number is expressed without
>>> scientific notation, with 324 decimal places.
>>>
>>> Read on...
>>>
>>> http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/
>>>
>>> --
>>> Daevid Vincent
>>> http://daevid.com
>>>
>>> There are only 11 types of people in this world. Those that think
>>> binary jokes are funny, those that don't, and those that don't know
> binary.
>>>
>>
>> "The size of a float is platform-dependent, although a maximum of ~1.8e308
>> with a precision of roughly 14 decimal digits is a common value (the 64
> bit
>> IEEE format)." From [1]. The example given is clearly over the limit
> within
>> the PHP core.
>>
>> This sounds like what I was mentioning before, in a different thread,
> about
>> URL hacking to induce buffer overflow.
>>
>> Regards,
>> Tommy
>>
>> [1] http://www.php.net/manual/en/language.types.float.php
>
> I found something really weird while coding a validator for floating
> protection protection.
>
> Case 1 - known DoS / PHP hangs in infinite loop:
>
> $value = '2.2250738585072011e-308';
> var_dump(floatval($value));
>
> Case 2 - works fine:
>
> $value = '2.2250738585072011e-307';
> or
> $value = '2.2250738585072011e-309';
> or
> $value = '2.225073858507201e-308';
>
> var_dump(floatval($value));
>
> I'd expect the '2.2250738585072011e-309' to hang also on my Win x64 with PHP
> FastCGI. I haven't test it on *nix platform yet. Could someone please
> confirm this?
>
> Thanks,
> Tommy
>
>
Seems to work fine for me.
$ cat float.php
<?php
echo "Example 1\n";
$value = 2.2250738585072011e-307;
var_dump(floatval($value));
var_dump($value);
echo "Example 2\n";
$value = 2.2250738585072011e-308;
var_dump(floatval($value));
var_dump($value);
echo "Example 3\n";
$value = 2.2250738585072011e-309;
var_dump(floatval($value));
var_dump($value);
echo "Example 4\n";
$value = 2.225073858507201e-308;
var_dump(floatval($value));
var_dump($value);
?>
$ php -f float.php
Example 1
float(2.2250738585072E-307)
float(2.2250738585072E-307)
Example 2
float(2.2250738585072E-308)
float(2.2250738585072E-308)
Example 3
float(2.2250738585072E-309)
float(2.2250738585072E-309)
Example 4
float(2.2250738585072E-308)
float(2.2250738585072E-308)
$ uname -a
OpenBSD serv0.cmsws.com 4.3 GENERIC#698 i386
$ php -v
PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Mar 11 2008 13:08:50)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project
No infinite loop. I like my system... :)
Jim Lucas
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
