php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77283 memory exhausted when unserialize data
Submitted: 2018-12-11 16:16 UTC Modified: 2020-05-11 10:52 UTC
From: jasonxiale at mail dot ru Assigned: nikic (profile)
Status: Closed Package: Class/Object related
PHP Version: master-Git-2018-12-11 (Git) OS: Linux(4.15.0-42-generic)
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jasonxiale at mail dot ru
New email:
PHP Version: OS:

 

 [2018-12-11 16:16 UTC] jasonxiale at mail dot ru
Description:
------------
when fuzzing php unserialize function using command as:
./sapi/cli/php  -r 'unserialize(file_get_contents("php://stdin"));' < basic_fuzz/fuzzer11/crashes/id\:000000\,sig\:06\,src\:000158+000528\,op\:splice\,rep\:2

I got an error:
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 42949672960 bytes) in Command line code on line 1


Test script:
---------------
the base64-ed input is like
base64 basic_fuzz/fuzzer11/crashes/id\:000000\,sig\:06\,src\:000158+000528\,op\:splice\,rep\:2 
YTozOntpOjA7YToyOntpOjA7TzoxOiIxIjowNzc3Nzc3Nzc3Ojc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3
Nzc3Nzc3Nzc3Nzc7ASkxOip//yI3Nzc3NzQiO31pOkk7YToyOntpOjA7aVwxO2k3N6UXMSNpAAAA
AX0=


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-05-11 10:52 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-05-11 10:52 UTC] nikic@php.net
This has been addressed in the meantime, unserialize() no longer allows allocations larger than the payload size.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 10:01:29 2024 UTC