Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81449
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 7049 invoked from network); 30 Jan 2015 19:18:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jan 2015 19:18:01 -0000
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.53 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.53 mail-wg0-f53.google.com  
Received: from [74.125.82.53] ([74.125.82.53:43209] helo=mail-wg0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 77/71-34022-7E8DBC45 for <internals@lists.php.net>; Fri, 30 Jan 2015 14:18:00 -0500
Received: by mail-wg0-f53.google.com with SMTP id a1so28517834wgh.12
        for <internals@lists.php.net>; Fri, 30 Jan 2015 11:17:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding;
        bh=skA+DkJyW/LpphvncZg+LFLZtSwn29KwZv2PW+Ad4DQ=;
        b=yzkdxnENvlOiCFSj31fcJaBz8iV0JIb2YUigjT/svB0aVIJVKS6MZlUMhlGopDGgt8
         ZRrazPNk41YgkkIcrcesU0o44WIv0sf4gwHMLWAUi84XKUmx3D0lI37znDS7g9GNacHw
         scsBbOXEee+hH/ovE29fdK8dZZWN3/6jL+67Lo1YraCHBNdhJwOwHPNUnhWW1A5j+fR8
         qtJM9BZTBxyOOW3j17Vb7NIy7w25P0BKxw8to4Gnx8Z3S/zZUxwBf3LClAqCpoHCUnYg
         fA31XG2puoZKsUnAEGAta+ULQWSVbB597Uv+oaBTjO9LqjbibKNYegbvj0EVfmsJ3EEk
         kGMQ==
X-Received: by 10.180.73.112 with SMTP id k16mr536548wiv.42.1422645476755;
        Fri, 30 Jan 2015 11:17:56 -0800 (PST)
Received: from [192.168.0.2] (cpc68956-brig15-2-0-cust215.3-3.cable.virginm.net. [82.6.24.216])
        by mx.google.com with ESMTPSA id cf12sm16175891wjb.10.2015.01.30.11.17.55
        for <internals@lists.php.net>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 30 Jan 2015 11:17:56 -0800 (PST)
Message-ID: <54CBD8CE.3010905@gmail.com>
Date: Fri, 30 Jan 2015 19:17:34 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: internals@lists.php.net
References: <1C66727D-D166-4831-87E4-35F11F398FFE@thesba.com>
In-Reply-To: <1C66727D-D166-4831-87E4-35F11F398FFE@thesba.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] How does the PHP Ghost one-liner work?
From: rowan.collins@gmail.com (Rowan Collins)

On 30/01/2015 18:42, Robert Williams wrote:
> % php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);’
>
> What’s not being discussed is how it works. From the naive viewpoint of a PHP end-user, I’d expect this one-liner to have the same effect:
>
> % php -r '$e="0$e"; gethostbyname($e);’
>
> But it doesn’t. Can someone familiar with PHP’s internals explain why this code triggers the overflow, and whether it will actually do so reliably?

No need to be familiar with the internals, you just need to unroll the 
loop properly in your head:

initialise: $e = "0"; => "0"
$i=0: $e = "0$e"; => "0" . "0" => "00"
$i=1: $e = "0$e"; => "0" . "00" => "000"
and so on until you have 2501 zeroes when $i=2499

As Patrick points out, this is a really weird way of initialising that 
variable, and is presumably translated from another language by someone 
who doesn't know PHP.

-- 
Rowan Collins
[IMSoP]