|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesthe-patch (last revision 2012-10-26 12:24 UTC by tony2001@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2012-10-26 12:24 UTC] tony2001@php.net
[2012-10-26 12:43 UTC] tony2001@php.net
-Status: Open
+Status: Closed
[2012-10-26 12:43 UTC] tony2001@php.net
[2012-10-26 12:43 UTC] tony2001@php.net
[2012-10-26 12:44 UTC] tony2001@php.net
[2012-10-26 12:44 UTC] tony2001@php.net
-Assigned To:
+Assigned To: tony2001
[2012-10-26 16:49 UTC] dmitry@php.net
[2013-11-17 09:32 UTC] laruence@php.net
[2014-10-07 23:21 UTC] stas@php.net
[2014-10-07 23:32 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 20:00:01 2025 UTC |
Description: ------------ When a fatal error happens in a __sleep/__wakeup function, BG(serialize) and BG(unserialize) contents is left intact and the next request will get those pointers again, even though at that moment they are already freed by Zend memory manager during request shutdown. If you're lucky, there is a chance you'll reuse them, which causes immediate crash. The attached scripts demonstrates the problem with serialize() and I'm kinda lazy to do the same for unserialize(), especially taking into account that the patch is extremely simple. Test script: --------------- class bar1 { function __sleep() { foo(); } } class foo1 { function __sleep() { var_dump(serialize(array("test", "1", 234))); var_dump(serialize(new bar1)); } } $o = new foo1; var_dump(unserialize('O:8:"stdclass":0:{}')); //to clear BG(serialize_lock) var_dump(serialize($o)); Expected result: ---------------- . Actual result: -------------- .