PHP :: Bug #27263 :: Unserialize crashes on multiple objects, stored in session explicitly

Bug #27263

Unserialize crashes on multiple objects, stored in session explicitly

Submitted:

2004-02-15 13:31 UTC

Modified:

2004-02-29 13:56 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

davojan at mail dot ru

Assigned:

Status:

Closed

Package:

Session related

PHP Version:

5CVS-2004-02-17

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	davojan at mail dot ru
New email:
PHP Version:		OS:

New Comment:

[2004-02-15 13:31 UTC] davojan at mail dot ru

Description:
------------
PHP crashes on session_start() if object "foo" references to object "bar" and both "foo" and "bar" are put into session explicitly each into it's element.

The example below will work if we comment line:
$_SESSION['bar'] = $bar;
the only one "foo" is put to session explicitly and "bar" is also put, but as a member of "foo".

Reproduce code:
---------------
<?
class foo {
	public $bar = NULL;
}
class bar {}
//=============================[]
	$foo = new foo();
	$bar = new bar();
	$foo->bar = $bar;
	session_start();
	$_SESSION['foo'] = $foo;
	$_SESSION['bar'] = $bar;	// it will be all right, if we comment this

	session_write_close();
	session_start();	// crashing here
	echo "OK";
?>

Expected result:
----------------
OK

Actual result:
--------------
In browser:
"The page cannot be displayed"

In /var/log/httpd-error.log:
[Sun Feb 15 21:21:22 2004] [notice] child pid 230 exit signal Segmentation fault (11)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-02-16 17:38 UTC] davojan at mail dot ru

Sorry, but when I add --enable-debug to my configure the bug "dissapeared", the example script worked fine. The crashe takes place only in the debugless version, it's backtrace hardly can help you:

Program terminated with signal 10, Bus error.
.//usr/local/lib/php/20020429/templates.so: No such file or directory.
#0  0x2860f780 in ?? () from /usr/local/libexec/apache/libphp5.so
(gdb) bt
#0  0x2860f780 in ?? () from /usr/local/libexec/apache/libphp5.so
#1  0x8050416 in ap_clear_pool ()
#2  0x8050478 in ap_destroy_pool ()
#3  0x80503eb in ap_clear_pool ()
#4  0x8050478 in ap_destroy_pool ()
#5  0x805b190 in clean_parent_exit ()
#6  0x805d84d in standalone_main ()
#7  0x805dcab in main ()
#8  0x804fc39 in _start ()

It is a bad sign, it may mean buffer overflow anywhere in the program, i suppose. It may be difficult to find the bug. I'm ready to provide any help in catching it...

[2004-02-16 21:59 UTC] sniper@php.net

Nevermind, could reproduce. Only happens without --enable-debug! Here's the backtrace:

_efree Zend/zend_alloc.c:257
257             CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size);
(gdb) bt
#0  _efree (ptr=0x61775f5f) at Zend/zend_alloc.c:257
#1  0x4038b383 in _zval_dtor (zvalue=0x82b73c4) at Zend/zend_variables.c:45
#2  0x40384141 in _zval_ptr_dtor (zval_ptr=0xbfffcb00) at Zend/zend_execute_API.c:359
#3  0x4034a36b in php_var_unserialize (rval=0xbfffcb00, p=0xbfffcb04, max=0x82b630e "", var_hash=0xbfffcb08)
    at var_unserializer.re:293
#4  0x402b7f29 in ps_srlzr_decode_php (val=0x61775f5f <Address 0x61775f5f out of bounds>, vallen=50)
    at ext/session/session.c:502
#5  0x402b81dd in php_session_decode (val=0x82b62dc "foo|O:3:\"foo\":1:{s:3:\"bar\";O:3:\"bar\":0:{}}bar|r:2;", 
    vallen=50) at ext/session/session.c:549
#6  0x402b8646 in php_session_initialize () at ext/session/session.c:730
#7  0x402b9a13 in php_session_start () at ext/session/session.c:1162
#8  0x402bb031 in zif_session_start (ht=0, return_value=0x82b6004, this_ptr=0x0, return_value_used=0)
    at ext/session/session.c:1601
#9  0x403a9c96 in zend_do_fcall_common_helper (execute_data=0xbfffced0, opline=0x82b5e14, op_array=0x82af144)
    at Zend/zend_execute.c:2642
#10 0x403a9dce in zend_do_fcall_handler (execute_data=0xbfffced0, opline=0x82b5e14, op_array=0x82af144)
    at Zend/zend_execute.c:2771
#11 0x403a68eb in execute (op_array=0x82af144) at Zend/zend_execute.c:1339
#12 0x4038cdfd in zend_execute_scripts (type=8, retval=0x0, file_count=3) at Zend/zend.c:1052
#13 0x4035ca96 in php_execute_script (primary_file=0xbffff220) at main/main.c:1647
#14 0x403afc2e in apache_php_module_main (r=0x832503c, display_source_mode=0)
    at sapi/apache/sapi_apache.c:54
#15 0x403b0629 in send_php (r=0x832503c, display_source_mode=0, filename=0x0)
    at sapi/apache/mod_php5.c:621

[2004-02-29 13:56 UTC] moriyoshi@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Nov 03 13:00:01 2025 UTC