|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2007-12-06 00:32 UTC] r at roze dot lv
[2008-01-09 15:32 UTC] mikael at synd dot info
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Jul 09 23:01:33 2025 UTC |
Description: ------------ Extension 2.2.1 makes php 4.4.7 (also 5.2.5 just debuged only 4.4.7) php_var_unserialize to crash. Revision: 1.85 works fine. Reproduce code: --------------- <? $mc = new Memcache; $mc->addServer('10.2.9.1',11212,0,1,2,1,1); $mc->addServer('10.2.9.2',11212,0,1,2,1,1); $mc->addServer('10.2.9.3',11212,0,1,2,1,1); $mc->addServer('10.2.9.4',11212,0,1,2,1,1); $users = array(0 => 190032, 1 => 3949, 2 => 190032, 3 => 23825, 4 => 23825, 5 => 102666, 6 => 9096, 7 => 80095, 8 => 6880, 9 => 80095, 10 => 80095, 11 => 1539 5, 12 => 66672, 13 => 6880, 14 => 15395, 15 => 9096, 16 => 954488, 17 => 6880, 18 => 4741, 19 => 4741); $userData = $mc->get($users); ?> Expected result: ---------------- Something retrieved or empty resultset. Actual result: -------------- Starting program: /data/debug-php/bin/php test.php Program received signal SIGSEGV, Segmentation fault. 0x080df885 in php_var_unserialize (rval=0xbfcd2fe4, p=0xbfcd2d48, max=0x26d <Address 0x26d out of bounds>, var_hash=0xbfcd2d40) at /data/install/php-4.4.7_debug/ext/standard/var_unserializer.c:331 331 if (var_hash && cursor[0] != 'R') { (gdb) bt full #0 0x080df885 in php_var_unserialize (rval=0xbfcd2fe4, p=0xbfcd2d48, max=0x26d <Address 0x26d out of bounds>, var_hash=0xbfcd2d40) at /data/install/php-4.4.7_debug/ext/standard/var_unserializer.c:331 cursor = (const unsigned char *) 0x0 limit = (const unsigned char *) 0x0 marker = (const unsigned char *) 0x0 start = (const unsigned char *) 0x1 <Address 0x1 out of bounds> rval_ref = (zval **) 0x810f050 yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times> #1 0xb7dce37f in mmc_postprocess_value (return_value=0xbfcd2fe4, value=0x0, value_len=<value optimized out>) at /data/install/php-4.4.7_debug/memcache-2.2.1/memcache.c:1180 value_tmp = 0x0 var_hash = {first = 0x0, first_dtor = 0x0} #2 0xb7dd1533 in zif_memcache_get (ht=1, return_value=0x84cb98c, this_ptr=0x84c81c4, return_value_used=1) at /data/install/php-4.4.7_debug/memcache-2.2.1/memcache.c:1334 value = (zval *) 0x84cbce4 pool = (mmc_pool_t *) 0x84cc994 zkey = (zval *) 0x84cb94c mmc_object = (zval *) 0x84c81c4 flags = (zval *) 0x0 key = "\000\000\210?L\b????\026\000\000\000@\001??\030/Ϳ8\000\000\000\\\001????L\bp\001??A\000\000\000`\001??5???\000\000\000\000h?L\b????@\001??P0Ϳ8/Ϳ????@\001??X\000\000\000\a\000\000\0000\v\000\000 ?L\bh/Ϳ\b\000\000\000????\201???P0Ϳh/Ϳ????@\001??0\000\000\000\f?L\b?\201L\bP0Ϳ\230/Ϳ??\020\b0\000\000\000P0Ϳp\001??A\000\000\000`\001??b?L\b\000\000\000\000?\220\022\bb?L\b\006\000\000\000}\003\000\000\006\000"... key_len = <value optimized out> #3 0x081388ce in execute (op_array=0x84c839c) at /data/install/php-4.4.7_debug/Zend/zend_execute.c:1681 original_return_value = (zval **) 0xb7e7a854 return_value_used = 1 execute_data = {opline = 0x84ceb34, function_state = {function_symbol_table = 0x0, function = 0x84be1a8, reserved = {0xb7f40170, 0xf30, 0xb7e7a854, 0x4}}, fbc = 0x84be1a8, ce = 0x0, object = {ptr = 0x84c81c4}, Ts = 0xbfcd3050, original_in_execution = 0 '\0', op_array = 0x84c839c, prev_execute_data = 0x0} #4 0x081221e3 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /data/install/php-4.4.7_debug/Zend/zend.c:939 files = 0xbfcd3664 "" i = 1 file_handle = (zend_file_handle *) 0xbfcd58a8 orig_op_array = (zend_op_array *) 0x0 orig_retval_ptr_ptr = (zval **) 0x0 local_retval = (zval *) 0x0 #5 0x080e9d52 in php_execute_script (primary_file=0xbfcd58a8) at /data/install/php-4.4.7_debug/main/main.c:1757 orig_bailout = {{__jmpbuf = {-1208750092, -1208017760, -1077061344, -1077061368, -497173648, 1434656025}, __mask_was_saved = 0, __saved_mask = { __val = {0 <repeats 32 times>}}}} orig_bailout_set = 1 '\001' prepend_file_p = (zend_file_handle *) 0x0 append_file_p = (zend_file_handle *) 0x0 prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'} append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'} old_cwd = 0xbfcd3670 "" old_primary_file_path = 0x849995c "test.php" retval = 0 #6 0x0813fa5f in main (argc=2, argv=0xbfcd59a4) at /data/install/php-4.4.7_debug/sapi/cgi/cgi_main.c:1687 orig_bailout = {{__jmpbuf = {0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32 times>}}}} orig_bailout_set = 0 '\0' exit_status = 0 cgi = 0 c = 60 i = 16777216 len = 134595280 file_handle = {type = 2 '\002', filename = 0xbfcd46a0 "/home/rrozitis/test.php", opened_path = 0x84c74cc "\006", handle = {fd = 139231648, fp = 0x84c81a0}, free_filename = 0 '\0'} retval = 0 s = 0x8168ff4 "" behavior = 1 ---Type <return> to continue, or q <return> to quit--- no_headers = 0 orig_optind = 1 orig_optarg = 0x0 script_file = 0x0 global_vars = {head = 0x0, tail = 0x0, size = 4, count = 0, dtor = 0, persistent = 0 '\0', traverse_ptr = 0x0} interactive = 0