PHP :: Bug #17728 :: unserialize fails to decode object data

Bug #17728

unserialize fails to decode object data

Submitted:

2002-06-12 10:37 UTC

Modified:

2002-10-14 19:26 UTC

Votes:	16
Avg. Score:	4.8 ± 0.5
Reproduced:	15 of 15 (100.0%)
Same Version:	9 (60.0%)
Same OS:	5 (33.3%)

From:

romans at void dot lv

Assigned:

Status:

No Feedback

Package:

Strings related

PHP Version:

4.3.0-dev + ZE2

OS:

linux 2.4

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	romans at void dot lv
New email:
PHP Version:		OS:

New Comment:

[2002-06-12 10:37 UTC] romans at void dot lv

Actually bugreport is about 4.3.0 (also tried CVS) with Zend2. 
I was trying to restore object data from session, and php segfaults, when i do session_start for the seccond time.

I guess it's unserialize's fault.

Here is a script causing the problem:

<?
class Test {
   var $a;
}
session_start();
var_dump($_SESSION);
echo "session started";
$x = new Test;
session_register('x');
var_dump($_SESSION);
?>

session data looks like this:
x|O:4:"test":1:{s:1:"a";N;}


Here is a gdb backtrace

(gdb) bt
#0  0x8170b51 in ?? () at eval.c:88
#1  0x40385c10 in _object_init_ex (arg=0x8171204, class_type=0x817bdac,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/Zend/zend_API.c:610
#2  0x40332b8e in php_var_unserialize (rval=0xbfffd898, p=0xbfffd89c,
    max=0x817790f "", var_hash=0xbfffd8a0, tsrm_ls=0x812fe38)
    at var_unserializer.re:196
#3  0x402dae00 in ps_srlzr_decode_php (
    val=0x81778f4 "x|O:4:\"test\":1:{s:1:\"a\";N;}", vallen=27,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/ext/session/session.c:412
#4  0x402db131 in php_session_decode (
    val=0x81778f4 "x|O:4:\"test\":1:{s:1:\"a\";N;}", vallen=27,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/ext/session/session.c:462
#5  0x402db454 in php_session_initialize (tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/ext/session/session.c:542
#6  0x402dc6b6 in php_session_start (tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/ext/session/session.c:898
#7  0x402de23c in zif_session_start (ht=0, return_value=0x8170b3c,
    this_ptr=0x0, return_value_used=0, tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/ext/session/session.c:1324
#8  0x4039d6fe in execute (op_array=0x817788c, tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/Zend/zend_execute.c:2107
#9  0x40384538 in zend_execute_scripts (type=8, tsrm_ls=0x812fe38, retval=0x0,
    file_count=3) at /usr/src/x-apache/php4/Zend/zend.c:833
---Type <return> to continue, or q <return> to quit---
#10 0x40357e4f in php_execute_script (primary_file=0xbffff9b0,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/main/main.c:1376
#11 0x403a7313 in php_output_filter (f=0x8168020, bb=0x8168270)
    at /usr/src/x-apache/php4/sapi/apache2filter/sapi_apache2.c:405
#12 0x808282f in ap_pass_brigade (next=0x8168020, bb=0x8168118)
    at util_filter.c:534
#13 0x8088285 in default_handler (r=0x8166b98) at core.c:3249
#14 0x8079379 in ap_run_handler (r=0x8166b98) at config.c:193
#15 0x807978a in ap_invoke_handler (r=0x8166b98) at config.c:373
#16 0x806acb2 in ap_process_request (r=0x8166b98) at http_request.c:261
#17 0x806762d in ap_process_http_connection (c=0x8162448) at http_core.c:291
#18 0x80810ad in ap_run_process_connection (c=0x8162448) at connection.c:85
#19 0x80812f3 in ap_process_connection (c=0x8162448, csd=0x8162378)
    at connection.c:207
#20 0x80781c8 in child_main (child_num_arg=0) at prefork.c:671
#21 0x807826b in make_child (s=0x812e400, slot=0) at prefork.c:711
#22 0x807833d in startup_children (number_to_start=5) at prefork.c:783
#23 0x807865a in ap_mpm_run (_pconf=0x80aee20, plog=0x80e6f00, s=0x812e400)
    at prefork.c:999
#24 0x807cd49 in main (argc=2, argv=0xbffffbf4) at main.c:632
#25 0x40173f5c in __libc_start_main (main=0x807c744 <main>, argc=2,
    ubp_av=0xbffffbf4, init=0x805e73c <_init>, fini=0x8091a24 <_fini>,
    rtld_fini=0x4000ce30 <_dl_fini>, stack_end=0xbffffbec)

sorry, but no additional information about globals / arguments. 

Thank you.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-06-12 10:40 UTC] romans at void dot lv

[2002-06-13 05:00 UTC] tthiery at yahoo dot de

Same problem in win32/apache 1.3.22

function unserialize fails with classes.

code:
class A {
 var $a;
}

$a = new A();
$b = $a
$b->a = 4;
echo $a->a; //correct ze2: output = 4

$arr[0] = $a;
$arr[1] = $b;
$arr[1]->a = 5

echo $arr[0]->a; //correct ze2: output = 5

$str = serialize($arr);
delete $a;
$arr = null;
$arr = unserialize($str);  // ----------> crash

Thanx and good luck

[2002-06-19 16:58 UTC] ifju at wicca dot hu

This problem has also occured in version 4.2.0. I've experienced it on FreeBSD 4.5-RELEASE-p4

[2002-09-19 13:26 UTC] kalowsky@php.net

Can you try the patch posted in Bug #19493 and tell us if this works for you?

[2002-10-14 19:26 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC