PHP :: Bug #34306 :: wddx_serialize_value() crashes with long array keys

Bug #34306

wddx_serialize_value() crashes with long array keys

Submitted:

2005-08-30 14:10 UTC

Modified:

2005-08-31 16:33 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

dmitrysp at yandex dot ru

Assigned:

Status:

Closed

Package:

WDDX related

PHP Version:

5CVS, 4CVS (2005-08-31)

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dmitrysp at yandex dot ru
New email:
PHP Version:		OS:

New Comment:

[2005-08-30 14:10 UTC] dmitrysp at yandex dot ru

Description:
------------
Apache2 crash. 

Try Apache2 + PHP 5.1.0RC1, 
Apache2 + PHP 5.1.0-dev (built: Aug 30 2005 08:42:21), 
php.exe 4.3.0 console.

szAppName : Apache.exe     szAppVer : 2.0.54.0     szModName : php5ts.dll     
szModVer : 5.1.0.0     offset : 001e144d     

Reproduce code:
---------------
    $str='';
    for ($i=1; $i<255; $i++) $str.=chr($i);
    $mix=array($str=>1);
    $buf=wddx_serialize_value($mix, 'name'); // apache crash here
    echo "ok";

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-31 11:27 UTC] sniper@php.net

Apparently the maximum array key lenght for wddx serializer is 254. It doesn't matter what the content is.

[2005-08-31 11:28 UTC] sniper@php.net

Correction: The max length is 251.

[2005-08-31 14:43 UTC] sniper@php.net

(gdb) bt
#0  0x083b98dd in _zend_is_inconsistent (ht=0x0, file=0x869a3f0 "/usr/src/php/php_5_1/Zend/zend_hash.c", line=1022)
    at /usr/src/php/php_5_1/Zend/zend_hash.c:53
#1  0x083bc002 in zend_hash_move_forward_ex (ht=0x0, pos=0x0) at /usr/src/php/php_5_1/Zend/zend_hash.c:1022
#2  0x08355ed5 in php_wddx_serialize_array (packet=0x0, arr=0x0) at /usr/src/php/php_5_1/ext/wddx/wddx.c:589

[2005-08-31 14:44 UTC] sniper@php.net

Previous frame inner to this frame (corrupt stack?)

[2005-08-31 16:32 UTC] sniper@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in HEAD and PHP_5_1 branches. Won't fix elsewhere.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC