php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34045 Buffer overflow with serialized object
Submitted: 2005-08-09 07:15 UTC Modified: 2005-08-10 08:39 UTC
From: david dot tulloh at anu dot edu dot au Assigned:
Status: Closed Package: Class/Object related
PHP Version: 5CVS-2005-08-09 (dev) OS: Debian Linux
Private report: No CVE-ID: None
 [2005-08-09 07:15 UTC] david dot tulloh at anu dot edu dot au
Description:
------------
The attached code triggers what looks to me like a buffer overflow.  I've been able to reproduce it on two different computers running a current and slightly older version of PHP CVS.  Reproducable through both the CLI and Apache2. 

I stumbled across this while trying to extend SimpleTest and then cut the code back to the smallest reproduceable subset.

I suspect that the problem starts when serializing-deserializing the singleton object.  All the layers of seemingly redundant OOP are then required to bring out the error.  I really have no idea why though. 

originally sent to security@php.net.

Reproduce code:
---------------
http://cmhr118130.anu.edu.au:100/overflow.phps

Expected result:
----------------
ClassWithError::__construct - 42 - type = string(14) "BasicSingleton"
ClassWithError::__construct - 44 - type = string(14) "BasicSingleton" 

Actual result:
--------------
(continues past what's shown):
ClassWithError::__construct - 42 - type = string(14) "BasicSingleton"
ClassWithError::__construct - 44 - type = string(137552044) "tI3                                       P?]d_?l?O`F
&&!?M`OClassWithError9@OO?O`1`O?O 1O?O 1?O?P 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-09 07:21 UTC] rasmus@php.net
Verified here:
http://lerdorf.com/valgrind.txt
 [2005-08-10 08:39 UTC] dmitry@php.net
Fixed in CVS HEAD (6.0) and PHP_5_1.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 06:01:30 2024 UTC