php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #54662 Nested objects cause segmentation fault
Submitted: 2011-05-04 19:11 UTC Modified: 2011-05-06 21:42 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: aleksey dot v dot korzun at gmail dot com Assigned:
Status: Closed Package: SPL related
PHP Version: 5.3.6 OS: Tested on Freebsd/CentOS
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: aleksey dot v dot korzun at gmail dot com
New email:
PHP Version: OS:

 

 [2011-05-04 19:11 UTC] aleksey dot v dot korzun at gmail dot com 
Description:
------------
Another discussion on this subject could be found here:

http://groups.google.com/group/igbinary/browse_thread/thread/16b8824cbce14c83/8fe37ea6d44556f0#8fe37ea6d44556f0



Test script:
---------------
<?php
/**
 * Proof of concept, segmentation fault (spl_array.c/igbinary.c)
 * when using nested objects.
 *
 * PHP 5.3.6, PECL-Memcached 1.x, Igbinary 1.x
 *
 * @author Aleksey Korzun 
 */

/**
 * You must have pecl-memcached + igbinary
 */
DEFINE('MEMCACHE_SERVER', '192.168.2.85');
DEFINE('MEMCACHE_PORT', 11211);

class Storage
{
    public $storage;
    public function __construct() {
        $this->storage = new Object;
    }
}

class Object
{
}

class Collection extends \ArrayObject
{
    CONST LIMIT = 1000;
    public function populate() {
        $limit = 0;
        while($limit append(new Storage);
            ++$limit;
        }
    }
}

$memcached = new Memcached;
$memcached->setOption(
    $memcached::OPT_SERIALIZER, $memcached::SERIALIZER_IGBINARY);
$memcached->addServer(MEMCACHE_SERVER, MEMCACHE_PORT);

$collection = new Collection;
$collection->populate();

if($memcached->set('foobar', $collection, 10)) {
    if($memcached->get('foobar')) {
        print "Passed";
    }
}

Expected result:
----------------
Script should output 'Passed'

Actual result:
--------------
#0  0x000000000053b2b4 in var_push_dtor (var_hashx=0x0, rval=0x80163b9f0)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:60
60              var_entries *var_hash = var_hashx->first_dtor, *prev = NULL;

#0  0x000000000053b2b4 in var_push_dtor (var_hashx=0x0, rval=0x80163b9f0)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:60
        var_hash = (var_entries *) 0x80163c560
        prev = (var_entries *) 0x77bc58
#1  0x000000000053e2bd in process_nested_data (rval=0x7fffffffc690, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, 
    ht=0x80163c560, elements=0) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:292
        key = (zval *) 0x80163c600
        data = (zval *) 0x80163c678
        old_data = (zval **) 0x80163b9f0
#2  0x000000000053de87 in object_common2 (rval=0x7fffffffc690, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, elements=1)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:363
        retval_ptr = (zval *) 0x0
        fname = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 75584827}, ht = 0x0, obj = {handle = 0, 
      handlers = 0x481553b}}, refcount__gc = 0, type = 0 '\0', is_ref__gc = 0 '\0'}
#3  0x000000000053c450 in php_var_unserialize (rval=0x7fffffffc690, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:647
        len3 = 7
        user_func = (zval *) 0x5fd1a4
        arg_func_name = (zval *) 0x98
        pce = (zend_class_entry **) 0x80487e7f8
        custom_object = 0
        len = 7
        len2 = 7
        maxlen = 531
        elements = 1
        class_name = 0x80163ba80 "storage"
        ce = (zend_class_entry *) 0x801631cd8
        incomplete_class = 0
        retval_ptr = (zval *) 0x7fffffffc5e0
        args = {0x10}
        yych = 34 '"'
        cursor = (
    const unsigned char *) 0x80481532f "\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:4;"...
        limit = (
    const unsigned char *) 0x804815323 "O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Objec"...
        marker = (
    const unsigned char *) 0x804815324 ":7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object"...
        start = (
    const unsigned char *) 0x804815323 "O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Objec"...
        rval_ref = (zval **) 0x78
        yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times>
#4  0x000000000053e156 in process_nested_data (rval=0x80163bef0, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, 
    ht=0x80163c1f0, elements=9) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:275
        key = (zval *) 0x80163c328
        data = (zval *) 0x80163c478
        old_data = (zval **) 0x77bc58
#5  0x000000000053c7c7 in php_var_unserialize (rval=0x80163bef0, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:713
        elements = 10
        yych = 123 '{'
        cursor = (
    const unsigned char *) 0x80481531f "i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"O"...
        limit = (
    const unsigned char *) 0x804815319 "a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";"...
        marker = (
    const unsigned char *) 0x80481531a ":10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O"...
        start = (
---Type <return> to continue, or q <return> to quit---
    const unsigned char *) 0x804815319 "a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";"...
        rval_ref = (zval **) 0x78
        yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times>
#6  0x000000000049dc43 in spl_array_unserialize_helper (intern=0x80163bed8, 
    buf=0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"..., buf_len=552, 
    var_hash_p=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_array.c:1763
        p = (
    const unsigned char *) 0x804815353 "}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:4;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\""...
        s = (
    const unsigned char *) 0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"...
        pmembers = (zval *) 0x72a008dc400
        pflags = (zval *) 0x80163c328
        flags = 0
#7  0x000000000049e084 in spl_array_unserialize (object=0x7fffffffcbe8, ce=0x801632fc8, 
    buf=0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"..., buf_len=552, 
    data=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_array.c:1852
        intern = (spl_array_object *) 0x80163bed8
#8  0x0000000803ef1d58 in igbinary_unserialize_object_ser (igsd=0x7fffffffcb20, t=igbinary_type_object_ser16, z=0x7fffffffcbe8, 
    ce=0x801632fc8) at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:1757
        n = 552
#9  0x0000000803ef1a07 in igbinary_unserialize_object (igsd=0x7fffffffcb20, t=igbinary_type_object_ser16, z=0x7fffffffcbe8)
    at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:1884
        ce = (zend_class_entry *) 0x801632fc8
        pce = (zend_class_entry **) 0x804880a78
        h = (zval *) 0x0
        f = {value = {lval = 140737488341576, dval = 6.9533558071555652e-310, str = {val = 0x7fffffffca48 "(»c\001\b", 
      len = -13776}, ht = 0x7fffffffca48, obj = {handle = 4294953544, handlers = 0x7fffffffca30}}, refcount__gc = 4294953648, 
  type = 0 '\0', is_ref__gc = 0 '\0'}
        name = 0x804815306 "Collection\036\002(x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage"...
        name_len = 10
        r = 45
        incomplete_class = false
        user_func = (zval *) 0x98
        retval_ptr = (zval *) 0x80163ba90
        args = {0x80160a300}
        arg_func_name = (zval *) 0x40
#10 0x0000000803ef0e7a in igbinary_unserialize_zval (igsd=0x7fffffffcb20, z=0x7fffffffcbe8)
    at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:1999
        t = igbinary_type_object8
        tmp_long = 140737488341744
        tmp_double = 6.9533558071662371e-310
        tmp_chararray = 0x803ef4278 "/usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c"
        tmp_size_t = 5450313498624
#11 0x0000000803eee705 in igbinary_unserialize (buf=0x804815300 "", buf_len=571, z=0x7fffffffcbe8)
    at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:363
        igsd = {buffer = 0x804815300 "", buffer_size = 571, buffer_offset = 19, strings = 0x80163bae0, strings_count = 1, 
  strings_capacity = 4, references = 0x80163b6f8, references_count = 1, references_capacity = 4, error = 0, string0_buf = {
    c = 0x0, len = 0, a = 0}}
#12 0x000000080423f3f8 in php_memc_zval_from_payload (value=0x801631630, payload=0x804815300 "", payload_len=571, flags=5, 
    serializer=SERIALIZER_IGBINARY) at /root/php-memcached/php_memcached.c:2719
        payload_emalloc = 0 '\0'
        buffer = 0x0
#13 0x0000000804238381 in php_memc_get_impl (ht=1, return_value=0x801631630, return_value_ptr=0x0, this_ptr=0x80162e600, 
    return_value_used=1, by_key=0 '\0') at /root/php-memcached/php_memcached.c:625
        rc = 0
        return_value_set = 0 '\0'
        key = 0x80163b810 "foobar"
        key_len = 6
        server_key = 0x0
        server_key_len = 0
        payload = 0x804815300 ""
        payload_len = 571
---Type <return> to continue, or q <return> to quit---
        flags = 5
        cas = 0
        keys = {0x80163b810 "foobar"}
        key_lens = {6}
        cas_token = (zval *) 0x0
        fci = {size = 0, function_table = 0x0, function_name = 0x0, symbol_table = 0x0, retval_ptr_ptr = 0x0, param_count = 0, 
  params = 0x0, object_ptr = 0x0, no_separation = 0 '\0'}
        fcc = {initialized = 0 '\0', function_handler = 0x0, calling_scope = 0x0, called_scope = 0x0, object_ptr = 0x0}
        result = {item_flags = 4294954352, item_expiration = 16, key_length = 140737488342384, item_cas = 6268759, 
  root = 0x80163ba90, value = {end = 0x80160a300 "\001", string = 0x1a520 <Address 0x1a520 out of bounds>, current_size = 16, 
    root = 0x80160aa18, options = {is_allocated = true, is_initialized = false}}, 
  item_key = "Ⱥc\001\b\000\000\000\001\000\000\000Üø\022sð\217y\000\000\000\000\000\000\020#\004»\001\000\000h~y\000\000\000\000\000\220Õ_\000\001\000\000\000\020¸c\001\b\000\000\000\000£`\001\b\000\000\000À·c\001\b", '\0' <repeats 15 times>, "\001\000\000\000Ž_\000\000\000\000\000p½c\001\b\000\000\000\001\000\000\000Üø\022sh~y\000\000\000\000\000°¿c\001>\001\000\000ÐÐy\000\000\000\000\000`\205\210\004\001\000\000\0000\026c\001\b\000\000\000Ž_\000\000\000\000\000à\025c\001\b\000\000\000\001\000\000\000Üø\022sh~y\000\000\000\000\000JÊ_\000\000\000\000\000\220Ðy\000\000\000\000\000`\000\000\000\000"..., options = {is_allocated = false, 
    is_initialized = false}}
        status = MEMCACHED_SUCCESS
        object = (zval *) 0x80162e600
        i_obj = (php_memc_t *) 0x801634410
        m_obj = (struct memc_obj *) 0x801638070
#14 0x0000000804237c0b in zim_Memcached_get (ht=1, return_value=0x801631630, return_value_ptr=0x0, this_ptr=0x80162e600, 
    return_value_used=1) at /root/php-memcached/php_memcached.c:465
No locals.
#15 0x000000000065ba1c in zend_do_fcall_common_helper_SPEC (execute_data=0x804888080) at zend_vm_execute.h:316
        opline = (zend_op *) 0x801630ce0
        should_change_scope = 1 '\001'
#16 0x000000000065c9c5 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x804888080) at zend_vm_execute.h:421
No locals.
#17 0x000000000065a9ea in execute (op_array=0x801634540) at zend_vm_execute.h:107
        ret = 0
        execute_data = (zend_execute_data *) 0x804888080
        nested = 1 '\001'
        original_in_execution = 0 '\0'
#18 0x000000000062745d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend.c:1194
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffd270, reg_save_area = 0x7fffffffd1b0}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fffffffea20
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
#19 0x00000000005a7712 in php_execute_script (primary_file=0x7fffffffea20) at /usr/ports/lang/php5/work/php-5.3.6/main/main.c:2268
        realfile = "/www/ch9/test.php\000\000\000\002\000\000\000pïb\001\b\000\000\000pïb\001\b\000\000\000\002\000\000\000\001\000\000\000`ðb\001\b\000\000\000\200Û\215\000\003\000\000\000@ãÿÿÿ\177\000\000\177®c\000\000\000\000\000pïb\001\b\000\000\000\020\000\000\000\002\000\000\000pïb\001\b", '\0' <repeats 11 times>, "8\230x\000\000\000\000\000ð\000\000\000\003\000\000\000ðãÿÿÿ\177\000\000d\032\\\000\000\000\000\000 ª`\001\000\000\000\000\026", '\0' <repeats 15 times>, "\230x\002\000\000\000\000\000pïb\001\b\000\000\000pïb\001\b\000\000\000p\233w\000\000\000\000\000 ïb\001d\001"...
        __orig_bailout = (sigjmp_buf *) 0x7fffffffe980
        __bailout = {{_sjb = {5928021, 2, 140737488343656, 140737488349280, 140737488350208, 140737488350184, 0, 0, 34382807679, 
      6365355, 140737488349008, 0}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, 
      fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, 
      fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fffffffd290 ""
        use_heap = 0 '\0'
        retval = 0
#20 0x000000000071b74a in main (argc=2, argv=0x7fffffffebe8) at /usr/ports/lang/php5/work/php-5.3.6/sapi/cli/php_cli.c:1193
        __orig_bailout = (sigjmp_buf *) 0x0
        __bailout = {{_sjb = {7449865, 2, 140737488349288, 140737488350096, 140737488350208, 140737488350184, 0, 0, 34368979839, 
      34369030656, 34369031168, 34359738368}}}
        exit_status = 0
        c = -1
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffee2c "test.php", opened_path = 0x0, handle = {
    fd = 23262976, fp = 0x80162f700, stream = {handle = 0x80162f700, isatty = 0, mmap = {len = 1060, pos = 0, map = 0x8008f4000, 
        buf = 0x8008f4000 <Address 0x8008f4000 out of bounds>, old_handle = 0x801505c20, 
        old_closer = 0x643b30 <zend_stream_stdio_closer>}, reader = 0x643b00 <zend_stream_stdio_reader>, 
---Type <return> to continue, or q <return> to quit---
      fsizer = 0x643b70 <zend_stream_stdio_fsizer>, closer = 0x643cd0 <zend_stream_mmap_closer>}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fffffffee2c "test.php"
        arg_excp = (char **) 0x7fffffffebf0
        script_file = 0x7fffffffee2c "test.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-05 09:50 UTC] aleksey dot v dot korzun at gmail dot com 
Possibly resolved in http://svn.php.net/viewvc?view=revision&revision=265477 will test.
 [2011-05-06 21:42 UTC] aleksey dot v dot korzun at gmail dot com
-Status: Open +Status: Closed
 [2011-05-06 21:42 UTC] aleksey dot v dot korzun at gmail dot com 
Closing this issue. Turned out to be a fault within IgBinary extension, resolved in -dev build.

See: http://alekseykorzun.com/post/5249986502/igbinary-nested-objects-crash-fixed
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 13:01:33 2025 UTC