php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74300 unserialize accepts two plus/minus signs for float number exponent part
Submitted: 2017-03-23 14:48 UTC Modified: -
From: xKhorasan+php at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.0Git-2017-03-23 (Git) OS: All
Private report: No CVE-ID: None
 [2017-03-23 14:48 UTC] xKhorasan+php at gmail dot com
Description:
------------
tested PHP version: PHP 7.0.18-dev (macOS Sierra 10.12.3)
configure option: --without-iconv

According to `ext/standard/var_unsrializer.re`, serialized float number is defined as `"d:" (iv | nv | nvexp) ";"`.
https://github.com/php/php-src/blob/fd4025069d561b4196851c2e9a85b5bfdfe1465a/ext/standard/var_unserializer.re#L731

And `nvexp` is defined as following:
> iv = [+-]? [0-9]+;
> nv = [+-]? ([0-9]* "." [0-9]+|[0-9]+ "." [0-9]*);
> nvexp = (iv | nv) [eE] [+-]? iv;
https://github.com/php/php-src/blob/fd4025069d561b4196851c2e9a85b5bfdfe1465a/ext/standard/var_unserializer.re#L320-L322

Since `nvexp` exponent part, i.e. `[+-]? iv`, contains optional plus/minus sign (`[+-]?`) and `iv`, and `iv` may contain plus/minus sign, `nvexp` may contain two plus/minus signs for exponent part.

In addition, if exponent part of serialized float number contains two plus/minus signs, the information of the exponent part is not used during unserializing.


Test script:
---------------
<?php
error_reporting(E_ALL);
var_dump(unserialize('d:2e+2;'));
var_dump(unserialize('d:2e++2;'));
var_dump(unserialize('d:2e+++2;'));


Expected result:
----------------
float(200)

Notice: unserialize(): Error at offset 0 of 8 bytes in %s on line %d
bool(false)

Notice: unserialize(): Error at offset 0 of 9 bytes in %s on line %d
bool(false)


Actual result:
--------------
float(200)
float(2)

Notice: unserialize(): Error at offset 0 of 9 bytes in %s on line %d
bool(false)


Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-23 21:07 UTC] nikic@php.net
Automatic comment on behalf of xKhorasan@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a1d4cd47a6ff20ae1619e0f8ec6de1eaa869258
Log: Fixed bug #74300
 [2017-03-23 21:07 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 13:01:31 2024 UTC