PHP :: Bug #27484 :: serialize / unserialize crash

Bug #27484

serialize / unserialize crash

Submitted:

2004-03-03 15:32 UTC

Modified:

2004-03-10 07:03 UTC

Votes:	2
Avg. Score:	3.0 ± 2.0
Reproduced:	1 of 2 (50.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

friosa at pnpitalia dot it

Assigned:

Status:

Closed

Package:

Reproducible crash

PHP Version:

5CVS-2004-03-03 (dev)

OS:

Linux 2.4.18-4GB

Private report:

CVE-ID:

None

View Developer Edit

[2004-03-03 15:32 UTC] friosa at pnpitalia dot it

Description:
------------
investigating on bug #27469 I've tryed to serialize an object that used was crashing php + apache.
Trying to unserialize it on php 4.x produces a boolean true variable, doing the same on php 5 cvs create a crash but in a different fx/program (php_var_serialize_class_name / var.c).





Reproduce code:
---------------
<?php
$mime_part=unserialize(base64_decode("TzoxMjoiTUlNRV9NZXNzYWdlIjoxOTp7czo2OiJfYnVpbGQiO2I6MTtzOjE0OiJfZGVmYXVsdFNlcnZlciI7czo4OiJ3d3cyLnBucCI7czo1OiJfdHlwZSI7czo0OiJ0ZXh0IjtzOjg6Il9zdWJ0eXBlIjtpOjA7czo5OiJfY29udGVudHMiO3M6MDoiIjtzOjE3OiJfdHJhbnNmZXJFbmNvZGluZyI7czo0OiI3Yml0IjtzOjExOiJfZW5jb2RlN2JpdCI7YjoxO3M6MTI6Il9kZXNjcmlwdGlvbiI7czowOiIiO3M6MTI6Il9kaXNwb3NpdGlvbiI7czo2OiJpbmxpbmUiO3M6MjI6Il9kaXNwb3NpdGlvblBhcmFtZXRlcnMiO2E6MDp7fXM6MjI6Il9jb250ZW50VHlwZVBhcmFtZXRlcnMiO2k6MDtzOjY6Il9wYXJ0cyI7YTowOnt9czoxMjoiX2luZm9ybWF0aW9uIjtpOjA7czo2OiJfYnl0ZXMiO3I6MTtzOjU6Il9jaWRzIjthOjA6e31zOjc6Il9taW1laWQiO2k6MDtzOjQ6Il9lb2wiO3M6MToiCiI7czo2OiJfZmxhZ3MiO2k6MDtzOjY6Il9pZG1hcCI7YTowOnt9fQ=="));$pluto=unserialize(base64_decode("TzoxMjoiSU1QX0NvbnRlbnRzIjoxNTp7czo1OiJfYm9keSI7czowOiIiO3M6OToiX2JvZHlwYXJ0IjthOjA6e31zOjY6Il9pbmRleCI7czozOiIxMDQiO3M6NjoiX3N0cmlwIjtiOjA7czo4OiJfbWVzc2FnZSI7TzoxMjoiTUlNRV9NZXNzYWdlIjoxOTp7czo2OiJfYnVpbGQiO2I6MTtzOjE0OiJfZGVmYXVsdFNlcnZlciI7czo4OiJ3d3cyLnBucCI7czo1OiJfdHlwZSI7czo0OiJ0ZXh0IjtzOjg6Il9zdWJ0eXBlIjtpOjA7czo5OiJfY29udGVudHMiO3M6MDoiIjtzOjE3OiJfdHJhbnNmZXJFbmNvZGluZyI7czo0OiI3Yml0IjtzOjExOiJfZW5jb2RlN2JpdCI7YjoxO3M6MTI6Il9kZXNjcmlwdGlvbiI7czowOiIiO3M6MTI6Il9kaXNwb3NpdGlvbiI7czo2OiJpbmxpbmUiO3M6MjI6Il9kaXNwb3NpdGlvblBhcmFtZXRlcnMiO2E6MDp7fXM6MjI6Il9jb250ZW50VHlwZVBhcmFtZXRlcnMiO2k6MDtzOjY6Il9wYXJ0cyI7YTowOnt9czoxMjoiX2luZm9ybWF0aW9uIjtpOjA7czo2OiJfYnl0ZXMiO3M6MDoiIjtzOjU6Il9jaWRzIjthOjA6e31zOjc6Il9taW1laWQiO2k6MDtzOjQ6Il9lb2wiO3M6MToiCiI7czo2OiJfZmxhZ3MiO2k6MDtzOjY6Il9pZG1hcCI7YTowOnt9fXM6NDoiX2F0YyI7YTowOnt9czo2OiJfcGFydHMiO2E6MDp7fXM6ODoiX3N1bW1hcnkiO2E6MDp7fXM6MTU6Il9zZXNzaW9uQ2FjaGVJRCI7TjtzOjEyOiJfdmlld2VyQ2FjaGUiO2E6MDp7fXM6MTI6Il9kaXNwbGF5VHlwZSI7czo0OiJsaXN0IjtzOjg6Il9taW1la2V5IjtOO3M6NzoiX3ZpZXdJRCI7YToyOntzOjg6ImRvd25sb2FkIjtzOjQzOiJmYWlsZWQgdG8gZmx1c2ggYnVmZmVyLiBObyBidWZmZXIgdG8gZmx1c2guIjtzOjQ6InZpZXciO3M6MTE6InZpZXdfYXR0YWNoIjt9czo2OiJfbGlua3MiO2I6MTtzOjU6Il9iYXNlIjtOO30="));

$pluto->buildMessagePart($mime_part);
define('MIME_CONTENTS_CACHE', 'mimecache');
class MIME_Contents {
    function MIME_Contents($messageOb, $viewID = array(), $contents = array()) {}
    function buildMessagePart(&$mime_part)
    {
        $msg = '';
// CRASH HERE        
echo "<pre>" . addslashes(serialize($mime_part)) . "</pre>";
        return $msg;
    }
}

class IMP_Contents extends MIME_Contents {
    function IMP_Contents($index)   {}
}
?>


Actual result:
--------------
Bug #27469  	zend_variables.c problem
Submitted:	2 Mar 6:00pm EST 	Modified:	3 Mar 4:32am EST
From:	friosa at pnpitalia dot it
Status:	Feedback 	Category:	Zend Engine 2 problem
Version:	5.0.0b4 (beta4) 	OS:	Linux 2.4.18-4GB

gdb ./httpd
(gdb) run -X
Starting program: /TEST/apache/bin/./httpd -X
[New Thread 1024 (LWP 17036)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 17036)]

0x4035080f in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x4035080f in memcpy () from /lib/libc.so.6
#1  0x405f8b0b in php_var_serialize_class_name (buf=0xbfffc4dc, struc=0x16f1520) at /TEST/php5-200403022230/ext/standard/var.c:480
#2  0x40698d73 in zend_do_fcall_common_helper (execute_data=0xbfffc850, opline=0xbfffc4d5, op_array=0xa) at /TEST/php5-200403022230/Zend/zend_execute.c:2677
#3  0x406703b9 in zend_execute_scripts (type=1081403672, retval=0x40d0d24c, file_count=516) at /TEST/php5-200403022230/Zend/zend.c:1041
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-03-09 08:53 UTC] sniper@php.net

The serialized string in your example code is invalid.
Please provide a working version and WITHOUT the base64 encoding!!

[2004-03-10 07:03 UTC] friosa at pnpitalia dot it

Sorry the machine has become a production server so I can't recreate any more the problem.

I think that if it's not possible recreate this problem on other computers (it was on mine getting the data from *this* page) it's better to close this bug.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 29 05:00:02 2025 UTC