|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-26 02:58 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-09-26 02:58 UTC] stas@php.net
[2017-01-01 18:27 UTC] nikic@php.net
[2017-01-01 18:27 UTC] nikic@php.net
-Status: Open
+Status: Closed
[2017-01-01 20:18 UTC] nikic@php.net
[2017-01-01 20:18 UTC] nikic@php.net
[2017-01-12 09:12 UTC] krakjoe@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 07:00:01 2025 UTC |
Description: ------------ When php trying to serialize an object with __sleep function will lead to crash Test script: --------------- <?php class a { public $a; public function __sleep() { $this->a=null; return array(); } } $s = 'a:1:{i:0;O:1:"a":1:{s:1:"a";R:2;}}'; $x = unserialize($s); serialize($x); Expected result: ---------------- no crash Actual result: -------------- RAX: 0x13164a000000000 RBX: 0x7ffff7f7ddb0 --> 0x0 RCX: 0x0 RDX: 0x7fffffff9690 --> 0x0 RSI: 0x7fffffff98d0 --> 0x2 RDI: 0x7ffff7f7ddb0 --> 0x0 RBP: 0x7fffffff9560 --> 0x7fffffff9a60 --> 0x7fffffff9f60 --> 0x7fffffff9f80 --> 0x7fffffffa0e0 --> 0x7fffffffa290 (--> ...) RSP: 0x7fffffff9540 --> 0x178f078 --> 0x0 RIP: 0xb6c82b (<zend_get_object_classname+102>: call rax) R8 : 0xffffefefbb0 --> 0x0 R9 : 0xffffe667d09 --> 0x0 R10: 0x0 R11: 0x7 R12: 0x7fffffff9690 --> 0x0 R13: 0x7fffffff98d0 --> 0x2 R14: 0x7fffffffa070 --> 0x7ffff7f7b258 ("a:1:{i:0;\262\367\367\377\177") R15: 0x10007fff72ce --> 0xf4f4f404f1f1f1f1 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xb6c820 <zend_get_object_classname+91>: mov ecx,0x0 0xb6c825 <zend_get_object_classname+96>: mov rdx,r12 0xb6c828 <zend_get_object_classname+99>: mov rdi,rbx => 0xb6c82b <zend_get_object_classname+102>: call rax 0xb6c82d <zend_get_object_classname+104>: test eax,eax 0xb6c82f <zend_get_object_classname+106>: je 0xb6c8d1 <zend_get_object_classname+268> 0xb6c835 <zend_get_object_classname+112>: mov rdi,rbx 0xb6c838 <zend_get_object_classname+115>: call 0xb69dad <zend_get_class_entry> Guessed arguments: arg[0]: 0x7ffff7f7ddb0 --> 0x0 [------------------------------------stack-------------------------------------] 0000| 0x7fffffff9540 --> 0x178f078 --> 0x0 0008| 0x7fffffff9548 --> 0x178d328 --> 0x6036000189c0 --> 0x41b58a01 0016| 0x7fffffff9550 --> 0x178f078 --> 0x0 0024| 0x7fffffff9558 --> 0x2f1e0f 0032| 0x7fffffff9560 --> 0x7fffffff9a60 --> 0x7fffffff9f60 --> 0x7fffffff9f80 --> 0x7fffffffa0e0 --> 0x7fffffffa290 (--> ...) 0040| 0x7fffffff9568 --> 0x9cb6bd (<php_var_serialize_intern+23746>: test eax,eax) 0048| 0x7fffffff9570 --> 0xfff00000001 --> 0x0 0056| 0x7fffffff9578 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000b6c82b in zend_get_object_classname (object=object@entry=0x7ffff7f7ddb0, class_name=class_name@entry=0x7fffffff98d0, class_name_len=class_name_len@entry=0x7fffffff9690) at /home/z/php5/Zend/zend_API.c:250 250 Z_OBJ_HT_P(object)->get_class_name(object, class_name, class_name_len, 0 TSRMLS_CC) != SUCCESS) { gdb-peda$ bt #0 0x0000000000b6c82b in zend_get_object_classname (object=object@entry=0x7ffff7f7ddb0, class_name=class_name@entry=0x7fffffff98d0, class_name_len=class_name_len@entry=0x7fffffff9690) at /home/z/php5/Zend/zend_API.c:250 #1 0x00000000009cb6bd in php_var_serialize_class_name (struc=0x7ffff7f7ddb0, buf=0x7fffffffa070) at /home/z/php5/ext/standard/var.c:607 #2 php_var_serialize_class (var_hash=0x7ffff7f7b200, retval_ptr=0x7ffff7f7c540, struc=0x7ffff7f7ddb0, buf=0x7fffffffa070) at /home/z/php5/ext/standard/var.c:623 #3 php_var_serialize_intern (buf=buf@entry=0x7fffffffa070, struc=<optimized out>, var_hash=var_hash@entry=0x7ffff7f7b200) at /home/z/php5/ext/standard/var.c:813 #4 0x00000000009d0932 in php_var_serialize_intern (buf=0x7fffffffa070, struc=<optimized out>, var_hash=<optimized out>) at /home/z/php5/ext/standard/var.c:886 #5 0x00000000009d9e47 in php_var_serialize (buf=buf@entry=0x7fffffffa070, struc=<optimized out>, var_hash=var_hash@entry=0x7fffffffa030) at /home/z/php5/ext/standard/var.c:905 #6 0x00000000009da1f1 in zif_serialize (ht=<optimized out>, return_value=0x7ffff7f7dec0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/z/php5/ext/standard/var.c:927 #7 0x0000000000d616fc in zend_do_fcall_common_helper_SPEC (execute_data=execute_data@entry=0x7ffff7f47938) at /home/z/php5/Zend/zend_vm_execute.h:558 #8 0x0000000000d630be in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f47938) at /home/z/php5/Zend/zend_vm_execute.h:2602 #9 0x0000000000c148ad in execute_ex (execute_data=execute_data@entry=0x7ffff7f47938) at /home/z/php5/Zend/zend_vm_execute.h:363 #10 0x0000000000d5caaf in zend_execute (op_array=0x7ffff7f7adc0) at /home/z/php5/Zend/zend_vm_execute.h:388 #11 0x0000000000b67b3e in zend_execute_scripts (type=type@entry=0x8, retval=retval@entry=0x0, file_count=file_count@entry=0x3) at /home/z/php5/Zend/zend.c:1341 #12 0x0000000000a48876 in php_execute_script (primary_file=primary_file@entry=0x7fffffffcf20) at /home/z/php5/main/main.c:2613 #13 0x0000000000d6604e in do_cli (argc=argc@entry=0x2, argv=argv@entry=0x60060000ee90) at /home/z/php5/sapi/cli/php_cli.c:994 #14 0x0000000000d680d6 in main (argc=argc@entry=0x2, argv=0x60060000ee90, argv@entry=0x7fffffffe668) at /home/z/php5/sapi/cli/php_cli.c:1378 #15 0x00007ffff3da7f45 in __libc_start_main (main=0xd670a2 <main>, argc=0x2, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at libc-start.c:287 #16 0x00000000004226e9 in _start ()