PHP Devs Rush to Patch Dangerous Denial of Service Bug

The PHP Group has released patches for a serious denial of service bug that endangers the stability of numerous PHP Web applications.

The bug was first discovered and reported on his blog by a computer expert named Rick Regan, who noticed that <?php $d = 2.2250738585072011e-308; ?> send the parser in an infinite loop.

Regan was able to confirm the problem on PHP 5.3.1 under Windows and PHP 5.3.2 under Ubuntu, on a system with a Core Duo processor.

He also pointed out that 2.2250738585072011e-308 represents the largest subnormal double-precision floating-point number.

Other people were able to replicate the issue on Debian, FreeBSD and different PHP versions, including the latest stable one, PHP 5.3.4.

This is considered a dangerous bug because it can reportedly be exploited by simply sending GET requests containing the floating number as a parameter.

For example, making requests for viewtopic.php?f=2.2250738585072011e-308 on phpBB or index.php?q=2.2250738585072011e-308 on Drupal, would be enough to crash installations of those popular PHP applications.

The PHP team tracked down the bug to an old and documented design flaw in the x87 subset of the x86 architecture. This means that it only 32-bit operating systems are affected, because 64-bit ones use the SSE instructions set.

The same problem was identified in the GNU Compiler Collection (gcc) back in 2000. "If you are on an architecture that uses the x87 FPU and you haven't forced SSE or float-store then you will see this problem," said PHP founder Rasmus Lerdorf in the bug report opened for the issue.

Patches have been created and are available in the SVN for both PHP 5.3.x and PHP 5.2.x. PHP 5.3.5 will be released soon, but 5.2.x won't get a new version since it has reach the end of life.