PHP :: Bug #34311 :: unserialize() causes php to segfault

Bug #34311	unserialize() causes php to segfault
Submitted:	2005-08-30 19:37 UTC	Modified:	2005-09-05 18:25 UTC
From:	marco at storm dot ee	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS, 4CVS (2005-08-31)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2005-08-30 19:37 UTC] marco at storm dot ee

Description:
------------
OS: Debian-AMD64, Linux 2.6.12.5
Configure line: configure --enable-debug --with-zlib

gdb:
Program terminated with signal 11, Segmentation fault.

#0  0x00000000004ede39 in php_var_unserialize (rval=0x7fffffd4cc90, p=0x7fffffd4cc58,
    max=0x7bb831 "", var_hash=0x7fffffd4cc60)
    at /home/marco/soft/php-4.4.0/ext/standard/var_unserializer.c:428
#1  0x00000000004e5045 in zif_unserialize (ht=1, return_value=0x7b45e0, this_ptr=0x0,
    return_value_used=0) at /home/marco/soft/php-4.4.0/ext/standard/var.c:716
#2  0x0000000000570876 in execute (op_array=0x7b5200)
    at /home/marco/soft/php-4.4.0/Zend/zend_execute.c:1672
#3  0x000000000055aa3d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/marco/soft/php-4.4.0/Zend/zend.c:938
#4  0x000000000051f878 in php_execute_script (primary_file=0x7fffffd4f6b0)
    at /home/marco/soft/php-4.4.0/main/main.c:1751
#5  0x00000000005777a3 in main (argc=2, argv=0x7fffffd4f828)
    at /home/marco/soft/php-4.4.0/sapi/cli/php_cli.c:828


Segfault reproduced with php4-STABLE-200508300648 and php-4.4.0.

Reproduce code:
---------------
<?php

 $fp = fopen('http://194.204.33.43/test.txt', 'r');
 $line = fread($fp, 1);
 unserialize($line);
 fclose($fp);

?>

Expected result:
----------------
no output

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-31 16:41 UTC] sniper@php.net

Short reproducing script:

# php -r 'unserialize("?");'

(that's a with ring above it :)

[2005-09-03 16:01 UTC] nlopess@php.net

After all this was just a simple typo. I've tracked it down and I've made a patch.

Patch: http://mega.ist.utl.pt/~ncpl/php_3411_patch.txt
Regenerated file with (re2c -b -o): http://mega.ist.utl.pt/~ncpl/php_var_unserializer.c.txt

[2005-09-05 18:25 UTC] sniper@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 22 16:01:29 2025 UTC