|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2006-06-28 20:19 UTC] tony2001@php.net
[2006-07-10 14:03 UTC] dmitry@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Nov 04 09:00:01 2025 UTC |
Description: ------------ Argument stack reallocations may cause heap corruption or segmentation faults. Functions that accept arguments through zend_get_parameters (zval ** - pointer to zend_ptr_stack element) and running user callbacks that may need more stack space are affected. So unserialize (__wakeup), sort functions in 4.4 version, and so on. Also using complicated user error handler is quite risky. Reproduce code: --------------- <? class test { function extend_zend_ptr_stack($count,$a,$b,$c,$d,$e) { if ($count>0) $this->extend_zend_ptr_stack($count - 1,$a,$b,$c,$d,$e); } function __wakeup() { $this->extend_zend_ptr_stack(10,'a','b','c','d','e'); } } $str='a:2:{i:0;O:4:"test":0:{}junk'; var_dump(unserialize($str)); Expected result: ---------------- bool(false) Actual result: -------------- #0 0x081be837 in zif_unserialize (ht=1, return_value=0x9b97ddc, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /root/cvs/php_5_1/ext/standard/var.c:860 #1 0x08234f10 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfec6c80) at /root/cvs/php_5_1/Zend/zend_vm_execute.h:192 #2 0x082348a1 in execute (op_array=0x9ba611c) at /root/cvs/php_5_1/Zend/zend_vm_execute.h:92 #3 0x0821acb2 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/cvs/php_5_1/Zend/zend.c:1101 #4 0x081e2804 in php_execute_script (primary_file=0xbfec9180) at /root/cvs/php_5_1/main/main.c:1719 #5 0x08285f9e in main (argc=2, argv=0xbfec9254) at /root/cvs/php_5_1/sapi/cli/php_cli.c:1090