PHP :: Bug #25378 :: Invalid data passed to unserialize() causes segfault

Bug #25378	Invalid data passed to unserialize() causes segfault
Submitted:	2003-09-03 05:21 UTC	Modified:	2003-09-06 20:56 UTC
From:	skissane at ics dot mq dot edu dot au	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.3.4-dev, 5.0.0b2-dev; 5CVS-2003-09-06-0330	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	skissane at ics dot mq dot edu dot au
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-09-03 05:21 UTC] skissane at ics dot mq dot edu dot au

Description:
------------
Invalid string data passed to unserialize function causes segfault.

Reproduce code:
---------------
<? unserialize("s:-1:\"\";"); ?>


Expected result:
----------------
No segfault.
Raise an error about data passed to unserialize being invalid.

Actual result:
--------------
#0  0x4207c45c in memcpy () from /lib/tls/libc.so.6
#1  0x081192e0 in _estrndup (s=0xbfffcb04 "\024\220\035\b", length=136191999) at /home/skissane/php-4.3.3/Zend/zend_alloc.c:387
#2  0x080dae02 in php_var_unserialize (rval=0xbfffcb04, p=0xbfffcae4, max=0x81d8ffc "", var_hash=0xbfffcae8)
    at /home/skissane/php-4.3.3/ext/standard/var_unserializer.c:549
#3  0x080d2d5c in zif_unserialize (ht=1, return_value=0x81d9014, this_ptr=0x0, return_value_used=0) at /home/skissane/php-4.3.3/ext/standard/var.c:671
#4  0x081335ea in execute (op_array=0x81dcec4) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1616
#5  0x08126d0d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/skissane/php-4.3.3/Zend/zend.c:885
#6  0x081016d7 in php_execute_script (primary_file=0xbfffefc0) at /home/skissane/php-4.3.3/main/main.c:1723
#7  0x081381f3 in main (argc=2, argv=0xbffff044) at /home/skissane/php-4.3.3/sapi/cli/php_cli.c:818
#8  0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-09-03 11:27 UTC] sniper@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

[2003-09-06 01:55 UTC] skissane at ics dot mq dot edu dot au

The fix in the CVS only partially solves the problem. This reproduce script still causes a segfault:

echo unserialize("s:99999999:\"\";");

The problem is that the unserialize code is not checking that the length of the string given in the argument to s is less than the length of the string given as the argument to unserialize. Large enough numbers return random junk from memory; even larger numbers segfault. Negative numbers = very large positive numbers in 2s complement arithmetic!

[2003-09-06 20:56 UTC] sniper@php.net

Adding more checks for this is pointless.
Just enable the memory limit with --enable-memory-limit configure option and set the "memory_limit" in your php.ini to a reasonable amount.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 15:00:01 2025 UTC