php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #60240 invalid read/writes when unserializing specially crafted strings
Submitted: 2011-11-08 07:49 UTC Modified: 2011-12-02 11:50 UTC
From: tony2001@php.net Assigned: mike (profile)
Status: Closed Package: SPL related
PHP Version: 5.4.0beta2 OS: Linux 64bit
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tony2001@php.net
New email:
PHP Version: OS:

 

 [2011-11-08 07:49 UTC] tony2001@php.net 
Description:
------------
The following tests in 5_4 branch:
ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
ext/session/tests/session_decode_error2.phpt

under Valgrind show several issues that might be quite dangerous.
This issue exists in 5_4 only and is not reproducible in 5_3 branch.

Valgrind log:
==18527== Invalid read of size 1
==18527==    at 0x85E087: php_var_unserialize (var_unserializer.c:532)
==18527==    by 0x725681: ps_srlzr_decode_php (session.c:920)
==18527==    by 0x7232A8: php_session_decode (session.c:216)
==18527==    by 0x7293D7: zif_session_decode (session.c:1854)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==    by 0xAE3064: main (php_cli.c:1356)
==18527==  Address 0xa1b0595 is 0 bytes after a block of size 5 alloc'd
==18527==    at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18527==    by 0x963158: _emalloc (zend_alloc.c:2423)
==18527==    by 0x96371F: _estrndup (zend_alloc.c:2596)
==18527==    by 0x82D95B: zif_substr (string.c:2269)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==    by 0xAE3064: main (php_cli.c:1356)
==18527== 
==18527== Invalid read of size 1
==18527==    at 0x85E087: php_var_unserialize (var_unserializer.c:532)
==18527==    by 0x85D455: process_nested_data (var_unserializer.re:278)
==18527==    by 0x85EC75: php_var_unserialize (var_unserializer.re:604)
==18527==    by 0x725681: ps_srlzr_decode_php (session.c:920)
==18527==    by 0x7232A8: php_session_decode (session.c:216)
==18527==    by 0x7293D7: zif_session_decode (session.c:1854)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==  Address 0xa1be08a is 0 bytes after a block of size 10 alloc'd
==18527==    at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18527==    by 0x963158: _emalloc (zend_alloc.c:2423)
==18527==    by 0x96371F: _estrndup (zend_alloc.c:2596)
==18527==    by 0x82D95B: zif_substr (string.c:2269)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==    by 0xAE3064: main (php_cli.c:1356)
==18527== 
==18527== Invalid read of size 1
==18527==    at 0x85E087: php_var_unserialize (var_unserializer.c:532)
==18527==    by 0x85D5E4: process_nested_data (var_unserializer.re:292)
==18527==    by 0x85EC75: php_var_unserialize (var_unserializer.re:604)
==18527==    by 0x725681: ps_srlzr_decode_php (session.c:920)
==18527==    by 0x7232A8: php_session_decode (session.c:216)
==18527==    by 0x7293D7: zif_session_decode (session.c:1854)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==  Address 0xa1c928e is 0 bytes after a block of size 14 alloc'd
==18527==    at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18527==    by 0x963158: _emalloc (zend_alloc.c:2423)
==18527==    by 0x96371F: _estrndup (zend_alloc.c:2596)
==18527==    by 0x82D95B: zif_substr (string.c:2269)
==18527==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==18527==    by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215)
==18527==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==18527==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==18527==    by 0x90F847: php_execute_script (main.c:2414)
==18527==    by 0xAE214C: do_cli (php_cli.c:983)
==18527==    by 0xAE3064: main (php_cli.c:1356)
==18527== 


SplObjectStorage_unserialize_bad.mem

==32709== Invalid read of size 4
==32709==    at 0x85FC02: php_var_unserialize (zend.h:387)
==32709==    by 0x7C65A7: zim_spl_SplObjectStorage_unserialize (spl_observer.c:860)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid write of size 4
==32709==    at 0x85FC0F: php_var_unserialize (zend.h:387)
==32709==    by 0x7C65A7: zim_spl_SplObjectStorage_unserialize (spl_observer.c:860)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid write of size 1
==32709==    at 0x85FC2A: php_var_unserialize (zend.h:403)
==32709==    by 0x7C65A7: zim_spl_SplObjectStorage_unserialize (spl_observer.c:860)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0495 is 21 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 1
==32709==    at 0x7C65CB: zim_spl_SplObjectStorage_unserialize (spl_observer.c:864)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0494 is 20 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 4
==32709==    at 0x982FC8: _zval_ptr_dtor (zend.h:391)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid write of size 4
==32709==    at 0x982FD2: _zval_ptr_dtor (zend.h:391)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 4
==32709==    at 0x982FE4: _zval_ptr_dtor (zend.h:379)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 8
==32709==    at 0x983009: _zval_ptr_dtor (zend_execute_API.c:437)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0498 is 24 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid read of size 1
==32709==    at 0x98303C: _zval_ptr_dtor (zend_variables.h:32)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0494 is 20 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 
==32709== Invalid free() / delete / delete[]
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709==  Address 0xa1b0480 is 0 bytes inside a block of size 32 free'd
==32709==    at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32709==    by 0x9631D1: _efree (zend_alloc.c:2433)
==32709==    by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439)
==32709==    by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845)
==32709==    by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642)
==32709==    by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==32709==    by 0x9D6BFD: execute (zend_vm_execute.h:410)
==32709==    by 0x998D28: zend_execute_scripts (zend.c:1272)
==32709==    by 0x90F847: php_execute_script (main.c:2414)
==32709==    by 0xAE214C: do_cli (php_cli.c:983)
==32709==    by 0xAE3064: main (php_cli.c:1356)
==32709== 


Test script:
---------------
See these tests:
ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
ext/session/tests/session_decode_error2.phpt

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-12 20:36 UTC] tony2001@php.net
-Type: Bug +Type: Security -Package: Session related +Package: SPL related -Private report: No +Private report: Yes
 [2011-11-12 20:36 UTC] tony2001@php.net 
Ok, that session test is now fixed and the SPL problem is still there, so they were probably not related.
 [2011-11-14 20:33 UTC] tony2001@php.net 
Okay, so this is definitely related somehow to the changes in SPL, not in the unserialize itself.
It looks like at least this commit is partly guilty: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c?r1=299692&r2=299770

I can propose this patch: http://dev.daylessday.org/diff/spl_observer.diff

It does fix the invalid reads/writes, but the test fails with a minor diff:
020+       object(stdClass)#4 (0) {
020-       object(stdClass)#3 (0) {
 [2011-11-14 20:33 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: mike
 [2011-12-02 11:50 UTC] mike@php.net 
Automatic comment from SVN on behalf of mike
Revision: http://svn.php.net/viewvc/?view=revision&revision=320279
Log: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
 [2011-12-02 11:50 UTC] mike@php.net
-Status: Assigned +Status: Closed
 [2011-12-02 11:50 UTC] mike@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-04-18 09:47 UTC] laruence@php.net 
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=955cc549a058272487324e14771011e232547f37
Log: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
 [2012-07-24 23:38 UTC] rasmus@php.net 
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=955cc549a058272487324e14771011e232547f37
Log: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
 [2013-11-17 09:34 UTC] laruence@php.net 
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=php-src.git;a=commit;h=955cc549a058272487324e14771011e232547f37
Log: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC