#49392 [NEW]: Many PHP tests try to verify float to integer overflow result
From: cndougla at linux dot vnet dot ibm dot com Operating system: Any PHP version: 6SVN-2009-08-27 (SVN) PHP Bug Type: Unknown/Other Function Bug description: Many PHP tests try to verify float to integer overflow result Description: Many tests have input values like 10.5e10 that must be converted to integer values. On 32-bit systems, the conversion overflows. According to the PHP manual: --- If the float is beyond the boundaries of integer (usually +/- 2.15e+9 = 2^31), the result is undefined, since the float doesn't have enough precision to give an exact integer result. No warning, not even a notice will be issued when this happens! --- Therefore, the tests are attempting to verify undefined values. Reproduce code: --- We found a bunch of testcases with this issue by running in a ppc64 kernel / ppc32 userspace: ext/standard/tests/array/array_fill_variation1.phpt ext/standard/tests/array/array_keys_variation_002.phpt ext/standard/tests/general_functions/gettype_settype_variation2.phpt ext/standard/tests/strings/htmlspecialchars_decode_variation2.phpt ext/standard/tests/strings/pack.phpt ext/standard/tests/strings/sprintf_variation35.phpt ext/standard/tests/strings/sprintf_variation4.phpt ext/standard/tests/strings/sprintf_variation41.phpt ext/standard/tests/strings/strncasecmp_variation5.phpt ext/standard/tests/strings/strncmp_variation5.phpt ext/standard/tests/strings/strrpos_variation14.phpt ext/standard/tests/strings/strrpos_variation15.phpt ext/standard/tests/strings/vsprintf_variation15.phpt ext/standard/tests/strings/vsprintf_variation16.phpt ext/standard/tests/strings/vsprintf_variation4.phpt We also found the following test had issues on ppc64/ppc64: ext/standard/tests/strings/vsprintf_variation15_64bit.phpt Expected result: These tests should not be checking for the value of the direct or indirect overflow of a float to integer conversion. The tests should have the one or two subtests that do this removed. Actual result: -- The tests fail on some platforms, especially split 64/32-bit installations. -- Edit bug report at http://bugs.php.net/?id=49392&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=49392&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=49392&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=49392&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=49392&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=49392&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=49392&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=49392&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=49392&r=needscript Try newer version: http://bugs.php.net/fix.php?id=49392&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=49392&r=support Expected behavior: http://bugs.php.net/fix.php?id=49392&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=49392&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=49392&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=49392&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49392&r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=49392&r=dst IIS Stability: http://bugs.php.net/fix.php?id=49392&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=49392&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=49392&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=49392&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=49392&r=mysqlcfg
#46318 [NEW]: gdImageFill invalid stack overflow comparison
From: cndougla at linux dot vnet dot ibm dot com Operating system: PHP version: 5.2.6 PHP Bug Type: GD related Bug description: gdImageFill invalid stack overflow comparison Description: In gdImageFill, a stack is created for the flood fill algorithm. Originally it seems the stack was created with space for 1,200,000 structures, but that has since been commented out and the stack is now created dynamically with the depth determined by the size of the image. The macro used to push structures onto the stack was checking for overflow based on checking the current stack pointer. Instead of comparing the stack pointer to the real size of the stack, the stack pointer was compared against the size of the structure (16 bytes) * 1,200,000 * 10. I have no idea why the factor of 10 was there. This large value wraps 32-bit arithmetic all the way around such that the comparison was no longer valid, and it always seemed the stack had overflowed even before anything was pushed onto it. Reproduce code: --- Expected result: 1 Actual result: -- 0 when the bug shows up. I found it to fail on ppc64 when it was built as a ppc32 userspace library, while on a ppc32 or x86 or x86_64 system it passed just fine. -- Edit bug report at http://bugs.php.net/?id=46318&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46318&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46318&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46318&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=46318&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=46318&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=46318&r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=46318&r=needscript Try newer version:http://bugs.php.net/fix.php?id=46318&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=46318&r=support Expected behavior:http://bugs.php.net/fix.php?id=46318&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=46318&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=46318&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=46318&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46318&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=46318&r=dst IIS Stability:http://bugs.php.net/fix.php?id=46318&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=46318&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=46318&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=46318&r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=46318&r=mysqlcfg
#46318 [Com]: gdImageFill invalid stack overflow comparison
ID: 46318
Comment by: cndougla at linux dot vnet dot ibm dot com
Reported By: cndougla at linux dot vnet dot ibm dot com
Status: Open
Bug Type:GD related
PHP Version: 5.2.6
New Comment:
A patch to fix the issue:
diff -uNr -ur php-5.2.6.orig/ext/gd/libgd/gd.c
php-5.2.6/ext/gd/libgd/gd.c
--- php-5.2.6.orig/ext/gd/libgd/gd.c2007-11-04 17:56:00.0
-0600
+++ php-5.2.6/ext/gd/libgd/gd.c 2008-10-16 13:03:41.0 -0500
@@ -1938,9 +1938,9 @@
struct seg {int y, xl, xr, dy;};
/* max depth of stack */
-#define FILL_MAX 120
+#define FILL_MAX ((int)(im->sy*im->sx)/4)
#define FILL_PUSH(Y, XL, XR, DY) \
-if (sp=0 && Y+(DY)=0 && Y+(DY)y = Y; sp->xl = XL; sp->xr = XR; sp->dy = DY; sp++;}
#define FILL_POP(Y, XL, XR, DY) \
Previous Comments:
----
[2008-10-16 19:30:38] cndougla at linux dot vnet dot ibm dot com
Description:
In gdImageFill, a stack is created for the flood fill algorithm.
Originally it seems the stack was created with space for 1,200,000
structures, but that has since been commented out and the stack is now
created dynamically with the depth determined by the size of the image.
The macro used to push structures onto the stack was checking for
overflow based on checking the current stack pointer. Instead of
comparing the stack pointer to the real size of the stack, the stack
pointer was compared against the size of the structure (16 bytes) *
1,200,000 * 10. I have no idea why the factor of 10 was there. This
large value wraps 32-bit arithmetic all the way around such that the
comparison was no longer valid, and it always seemed the stack had
overflowed even before anything was pushed onto it.
Reproduce code:
---
Expected result:
1
Actual result:
--
0 when the bug shows up. I found it to fail on ppc64 when it was built
as a ppc32 userspace library, while on a ppc32 or x86 or x86_64 system
it passed just fine.
--
Edit this bug report at http://bugs.php.net/?id=46318&edit=1
