PHP :: Bug #34311 :: unserialize() causes php to segfault

Bug #34311	unserialize() causes php to segfault
Submitted:	2005-08-30 19:37 UTC	Modified:	2005-09-05 18:25 UTC
From:	marco at storm dot ee	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS, 4CVS (2005-08-31)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	marco at storm dot ee
New email:
PHP Version:		OS:

New Comment:

[2005-08-30 19:37 UTC] marco at storm dot ee

Description:
------------
OS: Debian-AMD64, Linux 2.6.12.5
Configure line: configure --enable-debug --with-zlib

gdb:
Program terminated with signal 11, Segmentation fault.

#0  0x00000000004ede39 in php_var_unserialize (rval=0x7fffffd4cc90, p=0x7fffffd4cc58,
    max=0x7bb831 "", var_hash=0x7fffffd4cc60)
    at /home/marco/soft/php-4.4.0/ext/standard/var_unserializer.c:428
#1  0x00000000004e5045 in zif_unserialize (ht=1, return_value=0x7b45e0, this_ptr=0x0,
    return_value_used=0) at /home/marco/soft/php-4.4.0/ext/standard/var.c:716
#2  0x0000000000570876 in execute (op_array=0x7b5200)
    at /home/marco/soft/php-4.4.0/Zend/zend_execute.c:1672
#3  0x000000000055aa3d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/marco/soft/php-4.4.0/Zend/zend.c:938
#4  0x000000000051f878 in php_execute_script (primary_file=0x7fffffd4f6b0)
    at /home/marco/soft/php-4.4.0/main/main.c:1751
#5  0x00000000005777a3 in main (argc=2, argv=0x7fffffd4f828)
    at /home/marco/soft/php-4.4.0/sapi/cli/php_cli.c:828


Segfault reproduced with php4-STABLE-200508300648 and php-4.4.0.

Reproduce code:
---------------
<?php

 $fp = fopen('http://194.204.33.43/test.txt', 'r');
 $line = fread($fp, 1);
 unserialize($line);
 fclose($fp);

?>

Expected result:
----------------
no output

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-31 16:41 UTC] sniper@php.net

Short reproducing script:

# php -r 'unserialize("?");'

(that's a with ring above it :)

[2005-09-03 16:01 UTC] nlopess@php.net

After all this was just a simple typo. I've tracked it down and I've made a patch.

Patch: http://mega.ist.utl.pt/~ncpl/php_3411_patch.txt
Regenerated file with (re2c -b -o): http://mega.ist.utl.pt/~ncpl/php_var_unserializer.c.txt

[2005-09-05 18:25 UTC] sniper@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC