php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #34045 Buffer overflow with serialized object
Submitted: 2005-08-09 07:15 UTC Modified: 2005-08-10 08:39 UTC
From: david dot tulloh at anu dot edu dot au Assigned:
Status: Closed Package: Class/Object related
PHP Version: 5CVS-2005-08-09 (dev) OS: Debian Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: david dot tulloh at anu dot edu dot au
New email:
PHP Version: OS:

 

 [2005-08-09 07:15 UTC] david dot tulloh at anu dot edu dot au 
Description:
------------
The attached code triggers what looks to me like a buffer overflow.  I've been able to reproduce it on two different computers running a current and slightly older version of PHP CVS.  Reproducable through both the CLI and Apache2. 

I stumbled across this while trying to extend SimpleTest and then cut the code back to the smallest reproduceable subset.

I suspect that the problem starts when serializing-deserializing the singleton object.  All the layers of seemingly redundant OOP are then required to bring out the error.  I really have no idea why though. 

originally sent to security@php.net.

Reproduce code:
---------------
http://cmhr118130.anu.edu.au:100/overflow.phps

Expected result:
----------------
ClassWithError::__construct - 42 - type = string(14) "BasicSingleton"
ClassWithError::__construct - 44 - type = string(14) "BasicSingleton" 

Actual result:
--------------
(continues past what's shown):
ClassWithError::__construct - 42 - type = string(14) "BasicSingleton"
ClassWithError::__construct - 44 - type = string(137552044) "tI3                                       P?]d_?l?O`F
&&!?M`OClassWithError9@OO?O`1`O?O 1O?O 1?O?P

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-09 07:21 UTC] rasmus@php.net 
Verified here:
http://lerdorf.com/valgrind.txt
 [2005-08-10 08:39 UTC] dmitry@php.net 
Fixed in CVS HEAD (6.0) and PHP_5_1.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jan 31 05:01:30 2025 UTC