php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #52113 Seg fault after unserializing DatePeriod
Submitted: 2010-06-17 21:49 UTC Modified: 2011-12-06 06:23 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:1 (25.0%)
From: cmc333333 at gmail dot com Assigned: derick (profile)
Status: Closed Package: Date/time related
PHP Version: 5.3.2 OS: Debian Squeeze/Sid
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmc333333 at gmail dot com
New email:
PHP Version: OS:

 

 [2010-06-17 21:49 UTC] cmc333333 at gmail dot com 
Description:
------------
PHP 5.3.2-1 with Suhosin-Patch (cli) (built: Mar 14 2010 00:09:57
Standard Debian packages

Segfault when trying to construct a DatePeriod with an unserialized DateInterval.

Test script:
---------------
<?php
$start = new DateTime('2003-01-02 08:00:00');
$end = new DateTime('2003-01-02 12:00:00');
$diff = $start->diff($end);
$p = new DatePeriod($start, $diff, 2);

$diff_s = serialize($diff);

$diff_un = unserialize($diff_s);
//  Will segfault
$p = new DatePeriod($start, $diff_un, 2);


Expected result:
----------------
No Segfault

Actual result:
--------------
#0  timelib_rel_time_clone (rel=0x0) at /usr/include/bits/string3.h:52
#1  0x000000000042de6a in zim_DatePeriod___construct (ht=29638928, return_value=0x0, return_value_ptr=0x0, 
    this_ptr=0x1c09668, return_value_used=104)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/ext/date/php_date.c:3727
#2  0x00007fd3c9990c5c in xdebug_execute_internal (current_execute_data=0x7fd3d3bd6068, return_value_used=0)
    at /build/buildd-xdebug_2.0.5-1+b1-amd64-qDjrMY/xdebug-2.0.5/build-php5/xdebug.c:1631
#3  0x00000000006cb4c6 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fd3d3bd6068)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/Zend/zend_vm_execute.h:315
#4  0x00000000006a29b0 in execute (op_array=0x1c03258)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/Zend/zend_vm_execute.h:104
#5  0x00007fd3c99908a9 in xdebug_execute (op_array=0x1c03258)
    at /build/buildd-xdebug_2.0.5-1+b1-amd64-qDjrMY/xdebug-2.0.5/build-php5/xdebug.c:1562
#6  0x000000000067a64d in zend_execute_scripts (type=0, retval=0x7fffdbd0dd20, file_count=3)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/Zend/zend.c:1266
#7  0x0000000000626288 in php_execute_script (primary_file=Cannot access memory at address 0x8000dbd0cbb8
)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/main/main.c:2288
#8  0x000000000070a992 in main (argc=0, argv=0x2c4bf84)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/sapi/cli/php_cli.c:1196

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-18 02:49 UTC] dtajchreber@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: derick
 [2010-06-18 02:49 UTC] dtajchreber@php.net 
Verified with a fresh checkout. Assigning to Derick. 

david@beirut:~/php/5_3$ sapi/cli/php -v
PHP 5.3.3-dev (cli) (built: Jun 17 2010 19:42:56) 
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies


(gdb) r -ddate.timezone="America/Chicago" /home/david/test.php
Starting program: /home/david/php/5_3/sapi/cli/php -
ddate.timezone="America/Chicago" /home/david/test.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
timelib_rel_time_clone (rel=0x0) at /usr/include/bits/string3.h:52
52	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  timelib_rel_time_clone (rel=0x0) at /usr/include/bits/string3.h:52
#1  0x0000000000421728 in zim_DatePeriod___construct (ht=<value optimized out>, 
return_value=<value optimized out>, return_value_ptr=<value optimized out>, 
this_ptr=0xde26c8, 
    return_value_used=<value optimized out>) at 
/home/david/php/5_3/ext/date/php_date.c:3752
#2  0x00000000006afd36 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7ffff7e7f050) at /home/david/php/5_3/Zend/zend_vm_execute.h:316
#3  0x00000000006a9e58 in execute (op_array=0xddd8f8) at 
/home/david/php/5_3/Zend/zend_vm_execute.h:107
#4  0x00000000006855da in zend_execute_scripts (type=8, retval=<value optimized 
out>, file_count=3) at /home/david/php/5_3/Zend/zend.c:1194
#5  0x00000000006352ed in php_execute_script (primary_file=<value optimized 
out>) at /home/david/php/5_3/main/main.c:2260
#6  0x000000000070bad0 in main (argc=<value optimized out>, argv=<value 
optimized out>) at /home/david/php/5_3/sapi/cli/php_cli.c:1192
 [2011-01-22 08:37 UTC] stas@php.net 
DatePeriod, as most others Date* objects, does not have proper serialization 
handler, this is the cause of the segfault.
 [2011-01-22 08:45 UTC] stas@php.net 
I meant DateInterval, but true for DatePeriod too.
 [2011-01-30 10:50 UTC] stas@php.net
-Summary: Seg fault while creating DatePeriod +Summary: Seg fault after unserializing DatePeriod
 [2011-11-24 21:47 UTC] felipe@php.net 
Another way to have a related crash:

<?php
class dummy extends DateInterval {
        public function __construct() {
        }
}
$x = new dummy;
$x->y = 1;


0x0000000000447349 in date_interval_write_property (object=0x7ffff7fcb200, member=0x7ffff7fcd708, value=0x7ffff7fcb180, key=0x7ffff7fcd708, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/ext/date/php_date.c:3496
3496			SET_VALUE_FROM_STRUCT(y, "y");
gdb$ bt
#0  0x0000000000447349 in date_interval_write_property (object=0x7ffff7fcb200, member=0x7ffff7fcd708, value=0x7ffff7fcb180, key=0x7ffff7fcd708, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/ext/date/php_date.c:3496
#1  0x0000000000af9683 in zend_assign_to_object (retval=0x0, object_ptr=0x7ffff7fcf8f0, property_name=0x7ffff7fcd708, value_type=0x1, value_op=0x7ffff7fcc7a0, Ts=0x7ffff7f95190, opcode=0x88, key=0x7ffff7fcd708, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/Zend/zend_execute.c:738
#2  0x0000000000bfe0b1 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7f950f8, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/Zend/zend_vm_execute.h:28753
#3  0x0000000000afdab1 in execute (op_array=0x7ffff7fcec00, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/Zend/zend_vm_execute.h:410
#4  0x0000000000ab5029 in zend_execute_scripts (type=0x8, tsrm_ls=0x13ae0c0, retval=0x0, file_count=0x3) at /home/felipe/dev/phptrunk/Zend/zend.c:1272
#5  0x00000000009fa7a5 in php_execute_script (primary_file=0x7fffffffe180, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/main/main.c:2414
#6  0x0000000000c3d2ce in do_cli (argc=0x2, argv=0x7fffffffe538, tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/sapi/cli/php_cli.c:983
#7  0x0000000000c3e519 in main (argc=0x2, argv=0x7fffffffe538) at /home/felipe/dev/phptrunk/sapi/cli/php_cli.c:1356
 [2011-12-06 06:23 UTC] derick@php.net
-Status: Verified +Status: Closed
 [2011-12-06 06:23 UTC] derick@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2013-08-30 05:59 UTC] remi@php.net 
Related To: Bug #65564
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC