php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78438 Corruption when __unserializing deeply nested structures
Submitted: 2019-08-21 15:26 UTC Modified: 2019-08-23 09:42 UTC
From: risto at live dot nl Assigned: cmb (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4.0beta2 OS: Linux; Fedora 30
Private report: No CVE-ID: None
View Developer Edit
 [2019-08-21 15:26 UTC] risto at live dot nl 
Description:
------------
Data corruption seems to occur when using PHP 7.4s new __serialize and __unserialize functionality in deeply nested data structures. 

Test script:
---------------
Tested on PHP 7.4.0beta4 (cli) (built: Aug 20 2019 14:09:23) ( NTS )

However the bug has been observed in beta 1 and 2 as well.

See https://gist.github.com/Devristo/878f4dbd9e30ee3a3c235f0d2ef3431d for a reproducer.

And https://github.com/symfony/symfony/issues/33214 for the issue in the wild.

Expected result:
----------------
When running the script I expect the unserialization to succeed as it does for deeply nested structures, as it does for the smaller sized examples in the reproducer.

Actual result:
--------------
It seems that in the deeply nested examples in the reproducer unserialization fails with errors like:

 - Argument 1 passed to X::__unserialize() must be of the type array, unknown given
 - Argument 1 passed to X::__unserialize() must be of the type array, int given

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-22 14:51 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Class/Object related +Package: Scripting Engine problem
 [2019-08-22 14:51 UTC] cmb@php.net 
The basic problem is that we're using two slots[1], which doesn't
work if the slots are distributed across two elements of the
linked list, in which case the first slot is in the list element
*after* the second slot.

There is also an issue with `VAR_DTOR_ENTRIES_MAX`[2] which doesn't
match the actual definition[3] and at least wastes memory.

[1] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/standard/var_unserializer.re#L653-L660>
[2] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/standard/var_unserializer.re#L26>
[3] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/standard/var_unserializer.re#L43>
 [2019-08-22 15:19 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #78438: Corruption when __unserializing deeply nested structures
On GitHub:  https://github.com/php/php-src/pull/4608
Patch:      https://github.com/php/php-src/pull/4608.patch
 [2019-08-23 09:42 UTC] cmb@php.net
-Summary: Data corruption when using __serialize and __unserialize in nested structures +Summary: Corruption when __unserializing deeply nested structures -Assigned To: +Assigned To: cmb
 [2019-08-23 09:43 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ca265eb54510ff9513abf37a05e40de0a8a50789
Log: Fix #78438: Corruption when __unserializing deeply nested structures
 [2019-08-23 09:43 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 10:01:29 2024 UTC