In association with heise online

07 January 2011, 11:53

PHP 5.3.5 / 5.2.17: Floating-Point bug fixed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

As promised, PHP versions 5.3.5 and 5.2.17 of PHP have been released to fix the so-called floating-point bug. At the end of 2010 it was discovered that errors in the way the PHP scripting language converts certain numbers may cause a system resource problem. For example, on 32-bit systems, converting the string "2.2250738585072011e-308" into a floating point number using the function zend_strtod results in an infinite loop and consequent full utilisation of CPU resources.

This problem could be exploited in a DoS attack. 64-bit systems are not affected because they use the SSE2 instruction set for floating point operations, in which the error does not occur.

The PHP developers strongly recommended that all users of the script language upgrade to new versions. A previously published command line PHP script is available to determine whether a system is affected by the bug, and for older versions of PHP, which are also affected, a patch is available for zend_strtod.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit