PHP :: Bug #52113 :: Seg fault after unserializing DatePeriod

Bug #52113

Seg fault after unserializing DatePeriod

Submitted:

2010-06-17 21:49 UTC

Modified:

2011-12-06 06:23 UTC

Votes:	4
Avg. Score:	4.8 ± 0.4
Reproduced:	4 of 4 (100.0%)
Same Version:	2 (50.0%)
Same OS:	1 (25.0%)

From:

cmc333333 at gmail dot com

Assigned:

derick (profile)

Status:

Closed

Package:

Date/time related

PHP Version:

5.3.2

OS:

Debian Squeeze/Sid

Private report:

CVE-ID:

None

View Developer Edit

[2010-06-17 21:49 UTC] cmc333333 at gmail dot com

Description:
------------
PHP 5.3.2-1 with Suhosin-Patch (cli) (built: Mar 14 2010 00:09:57
Standard Debian packages

Segfault when trying to construct a DatePeriod with an unserialized DateInterval.

Test script:
---------------
<?php
$start = new DateTime('2003-01-02 08:00:00');
$end = new DateTime('2003-01-02 12:00:00');
$diff = $start->diff($end);
$p = new DatePeriod($start, $diff, 2);

$diff_s = serialize($diff);

$diff_un = unserialize($diff_s);
//  Will segfault
$p = new DatePeriod($start, $diff_un, 2);


Expected result:
----------------
No Segfault

Actual result:
--------------
#0  timelib_rel_time_clone (rel=0x0) at /usr/include/bits/string3.h:52
#1  0x000000000042de6a in zim_DatePeriod___construct (ht=29638928, return_value=0x0, return_value_ptr=0x0, 
    this_ptr=0x1c09668, return_value_used=104)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/ext/date/php_date.c:3727
#2  0x00007fd3c9990c5c in xdebug_execute_internal (current_execute_data=0x7fd3d3bd6068, return_value_used=0)
    at /build/buildd-xdebug_2.0.5-1+b1-amd64-qDjrMY/xdebug-2.0.5/build-php5/xdebug.c:1631
#3  0x00000000006cb4c6 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fd3d3bd6068)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/Zend/zend_vm_execute.h:315
#4  0x00000000006a29b0 in execute (op_array=0x1c03258)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/Zend/zend_vm_execute.h:104
#5  0x00007fd3c99908a9 in xdebug_execute (op_array=0x1c03258)
    at /build/buildd-xdebug_2.0.5-1+b1-amd64-qDjrMY/xdebug-2.0.5/build-php5/xdebug.c:1562
#6  0x000000000067a64d in zend_execute_scripts (type=0, retval=0x7fffdbd0dd20, file_count=3)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/Zend/zend.c:1266
#7  0x0000000000626288 in php_execute_script (primary_file=Cannot access memory at address 0x8000dbd0cbb8
)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/main/main.c:2288
#8  0x000000000070a992 in main (argc=0, argv=0x2c4bf84)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/sapi/cli/php_cli.c:1196

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-06-18 02:49 UTC] dtajchreber@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: derick

[2010-06-18 02:49 UTC] dtajchreber@php.net

Verified with a fresh checkout. Assigning to Derick. 

david@beirut:~/php/5_3$ sapi/cli/php -v
PHP 5.3.3-dev (cli) (built: Jun 17 2010 19:42:56) 
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies


(gdb) r -ddate.timezone="America/Chicago" /home/david/test.php
Starting program: /home/david/php/5_3/sapi/cli/php -
ddate.timezone="America/Chicago" /home/david/test.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
timelib_rel_time_clone (rel=0x0) at /usr/include/bits/string3.h:52
52	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  timelib_rel_time_clone (rel=0x0) at /usr/include/bits/string3.h:52
#1  0x0000000000421728 in zim_DatePeriod___construct (ht=<value optimized out>, 
return_value=<value optimized out>, return_value_ptr=<value optimized out>, 
this_ptr=0xde26c8, 
    return_value_used=<value optimized out>) at 
/home/david/php/5_3/ext/date/php_date.c:3752
#2  0x00000000006afd36 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7ffff7e7f050) at /home/david/php/5_3/Zend/zend_vm_execute.h:316
#3  0x00000000006a9e58 in execute (op_array=0xddd8f8) at 
/home/david/php/5_3/Zend/zend_vm_execute.h:107
#4  0x00000000006855da in zend_execute_scripts (type=8, retval=<value optimized 
out>, file_count=3) at /home/david/php/5_3/Zend/zend.c:1194
#5  0x00000000006352ed in php_execute_script (primary_file=<value optimized 
out>) at /home/david/php/5_3/main/main.c:2260
#6  0x000000000070bad0 in main (argc=<value optimized out>, argv=<value 
optimized out>) at /home/david/php/5_3/sapi/cli/php_cli.c:1192

[2011-01-22 08:37 UTC] stas@php.net

DatePeriod, as most others Date* objects, does not have proper serialization 
handler, this is the cause of the segfault.

[2011-01-22 08:45 UTC] stas@php.net

I meant DateInterval, but true for DatePeriod too.

[2011-01-30 10:50 UTC] stas@php.net

-Summary: Seg fault while creating DatePeriod +Summary: Seg fault after unserializing DatePeriod

[2011-11-24 21:47 UTC] felipe@php.net

Another way to have a related crash:

<?php
class dummy extends DateInterval {
        public function __construct() {
        }
}
$x = new dummy;
$x->y = 1;


0x0000000000447349 in date_interval_write_property (object=0x7ffff7fcb200, member=0x7ffff7fcd708, value=0x7ffff7fcb180, key=0x7ffff7fcd708, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/ext/date/php_date.c:3496
3496			SET_VALUE_FROM_STRUCT(y, "y");
gdb$ bt
#0  0x0000000000447349 in date_interval_write_property (object=0x7ffff7fcb200, member=0x7ffff7fcd708, value=0x7ffff7fcb180, key=0x7ffff7fcd708, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/ext/date/php_date.c:3496
#1  0x0000000000af9683 in zend_assign_to_object (retval=0x0, object_ptr=0x7ffff7fcf8f0, property_name=0x7ffff7fcd708, value_type=0x1, value_op=0x7ffff7fcc7a0, Ts=0x7ffff7f95190, opcode=0x88, key=0x7ffff7fcd708, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/Zend/zend_execute.c:738
#2  0x0000000000bfe0b1 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7f950f8, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/Zend/zend_vm_execute.h:28753
#3  0x0000000000afdab1 in execute (op_array=0x7ffff7fcec00, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/Zend/zend_vm_execute.h:410
#4  0x0000000000ab5029 in zend_execute_scripts (type=0x8, tsrm_ls=0x13ae0c0, retval=0x0, file_count=0x3) at /home/felipe/dev/phptrunk/Zend/zend.c:1272
#5  0x00000000009fa7a5 in php_execute_script (primary_file=0x7fffffffe180, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/main/main.c:2414
#6  0x0000000000c3d2ce in do_cli (argc=0x2, argv=0x7fffffffe538, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/sapi/cli/php_cli.c:983
#7  0x0000000000c3e519 in main (argc=0x2, argv=0x7fffffffe538) at /home/felipe/dev/phptrunk/sapi/cli/php_cli.c:1356

[2011-12-06 06:23 UTC] derick@php.net

-Status: Verified +Status: Closed

[2011-12-06 06:23 UTC] derick@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2013-08-30 05:59 UTC] remi@php.net

Related To: Bug #65564

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 08:01:29 2024 UTC