PHP :: Bug #27484 :: serialize / unserialize crash

Bug #27484

serialize / unserialize crash

Submitted:

2004-03-03 15:32 UTC

Modified:

2004-03-10 07:03 UTC

Votes:	2
Avg. Score:	3.0 ± 2.0
Reproduced:	1 of 2 (50.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

friosa at pnpitalia dot it

Assigned:

Status:

Closed

Package:

Reproducible crash

PHP Version:

5CVS-2004-03-03 (dev)

OS:

Linux 2.4.18-4GB

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	friosa at pnpitalia dot it
New email:
PHP Version:		OS:

New Comment:

[2004-03-03 15:32 UTC] friosa at pnpitalia dot it

Description:
------------
investigating on bug #27469 I've tryed to serialize an object that used was crashing php + apache.
Trying to unserialize it on php 4.x produces a boolean true variable, doing the same on php 5 cvs create a crash but in a different fx/program (php_var_serialize_class_name / var.c).





Reproduce code:
---------------
<?php
$mime_part=unserialize(base64_decode("TzoxMjoiTUlNRV9NZXNzYWdlIjoxOTp7czo2OiJfYnVpbGQiO2I6MTtzOjE0OiJfZGVmYXVsdFNlcnZlciI7czo4OiJ3d3cyLnBucCI7czo1OiJfdHlwZSI7czo0OiJ0ZXh0IjtzOjg6Il9zdWJ0eXBlIjtpOjA7czo5OiJfY29udGVudHMiO3M6MDoiIjtzOjE3OiJfdHJhbnNmZXJFbmNvZGluZyI7czo0OiI3Yml0IjtzOjExOiJfZW5jb2RlN2JpdCI7YjoxO3M6MTI6Il9kZXNjcmlwdGlvbiI7czowOiIiO3M6MTI6Il9kaXNwb3NpdGlvbiI7czo2OiJpbmxpbmUiO3M6MjI6Il9kaXNwb3NpdGlvblBhcmFtZXRlcnMiO2E6MDp7fXM6MjI6Il9jb250ZW50VHlwZVBhcmFtZXRlcnMiO2k6MDtzOjY6Il9wYXJ0cyI7YTowOnt9czoxMjoiX2luZm9ybWF0aW9uIjtpOjA7czo2OiJfYnl0ZXMiO3I6MTtzOjU6Il9jaWRzIjthOjA6e31zOjc6Il9taW1laWQiO2k6MDtzOjQ6Il9lb2wiO3M6MToiCiI7czo2OiJfZmxhZ3MiO2k6MDtzOjY6Il9pZG1hcCI7YTowOnt9fQ=="));$pluto=unserialize(base64_decode("TzoxMjoiSU1QX0NvbnRlbnRzIjoxNTp7czo1OiJfYm9keSI7czowOiIiO3M6OToiX2JvZHlwYXJ0IjthOjA6e31zOjY6Il9pbmRleCI7czozOiIxMDQiO3M6NjoiX3N0cmlwIjtiOjA7czo4OiJfbWVzc2FnZSI7TzoxMjoiTUlNRV9NZXNzYWdlIjoxOTp7czo2OiJfYnVpbGQiO2I6MTtzOjE0OiJfZGVmYXVsdFNlcnZlciI7czo4OiJ3d3cyLnBucCI7czo1OiJfdHlwZSI7czo0OiJ0ZXh0IjtzOjg6Il9zdWJ0eXBlIjtpOjA7czo5OiJfY29udGVudHMiO3M6MDoiIjtzOjE3OiJfdHJhbnNmZXJFbmNvZGluZyI7czo0OiI3Yml0IjtzOjExOiJfZW5jb2RlN2JpdCI7YjoxO3M6MTI6Il9kZXNjcmlwdGlvbiI7czowOiIiO3M6MTI6Il9kaXNwb3NpdGlvbiI7czo2OiJpbmxpbmUiO3M6MjI6Il9kaXNwb3NpdGlvblBhcmFtZXRlcnMiO2E6MDp7fXM6MjI6Il9jb250ZW50VHlwZVBhcmFtZXRlcnMiO2k6MDtzOjY6Il9wYXJ0cyI7YTowOnt9czoxMjoiX2luZm9ybWF0aW9uIjtpOjA7czo2OiJfYnl0ZXMiO3M6MDoiIjtzOjU6Il9jaWRzIjthOjA6e31zOjc6Il9taW1laWQiO2k6MDtzOjQ6Il9lb2wiO3M6MToiCiI7czo2OiJfZmxhZ3MiO2k6MDtzOjY6Il9pZG1hcCI7YTowOnt9fXM6NDoiX2F0YyI7YTowOnt9czo2OiJfcGFydHMiO2E6MDp7fXM6ODoiX3N1bW1hcnkiO2E6MDp7fXM6MTU6Il9zZXNzaW9uQ2FjaGVJRCI7TjtzOjEyOiJfdmlld2VyQ2FjaGUiO2E6MDp7fXM6MTI6Il9kaXNwbGF5VHlwZSI7czo0OiJsaXN0IjtzOjg6Il9taW1la2V5IjtOO3M6NzoiX3ZpZXdJRCI7YToyOntzOjg6ImRvd25sb2FkIjtzOjQzOiJmYWlsZWQgdG8gZmx1c2ggYnVmZmVyLiBObyBidWZmZXIgdG8gZmx1c2guIjtzOjQ6InZpZXciO3M6MTE6InZpZXdfYXR0YWNoIjt9czo2OiJfbGlua3MiO2I6MTtzOjU6Il9iYXNlIjtOO30="));

$pluto->buildMessagePart($mime_part);
define('MIME_CONTENTS_CACHE', 'mimecache');
class MIME_Contents {
    function MIME_Contents($messageOb, $viewID = array(), $contents = array()) {}
    function buildMessagePart(&$mime_part)
    {
        $msg = '';
// CRASH HERE        
echo "<pre>" . addslashes(serialize($mime_part)) . "</pre>";
        return $msg;
    }
}

class IMP_Contents extends MIME_Contents {
    function IMP_Contents($index)   {}
}
?>


Actual result:
--------------
Bug #27469  	zend_variables.c problem
Submitted:	2 Mar 6:00pm EST 	Modified:	3 Mar 4:32am EST
From:	friosa at pnpitalia dot it
Status:	Feedback 	Category:	Zend Engine 2 problem
Version:	5.0.0b4 (beta4) 	OS:	Linux 2.4.18-4GB

gdb ./httpd
(gdb) run -X
Starting program: /TEST/apache/bin/./httpd -X
[New Thread 1024 (LWP 17036)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 17036)]

0x4035080f in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x4035080f in memcpy () from /lib/libc.so.6
#1  0x405f8b0b in php_var_serialize_class_name (buf=0xbfffc4dc, struc=0x16f1520) at /TEST/php5-200403022230/ext/standard/var.c:480
#2  0x40698d73 in zend_do_fcall_common_helper (execute_data=0xbfffc850, opline=0xbfffc4d5, op_array=0xa) at /TEST/php5-200403022230/Zend/zend_execute.c:2677
#3  0x406703b9 in zend_execute_scripts (type=1081403672, retval=0x40d0d24c, file_count=516) at /TEST/php5-200403022230/Zend/zend.c:1041
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-03-09 08:53 UTC] sniper@php.net

The serialized string in your example code is invalid.
Please provide a working version and WITHOUT the base64 encoding!!

[2004-03-10 07:03 UTC] friosa at pnpitalia dot it

Sorry the machine has become a production server so I can't recreate any more the problem.

I think that if it's not possible recreate this problem on other computers (it was on mine getting the data from *this* page) it's better to close this bug.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Sep 16 19:00:02 2025 UTC