|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-03-19 05:54 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-03-19 05:54 UTC] stas@php.net
[2016-03-19 05:55 UTC] stas@php.net
-Package: Unknown/Other Function
+Package: Scripting Engine problem
[2016-03-19 14:23 UTC] nikic@php.net
-Status: Open
+Status: Duplicate
[2016-03-19 14:23 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Apr 16 10:01:26 2025 UTC |
Description: ------------ when a array's packed hashtable covert to a hash and it is going to be assign a reference($array[2]) to object($array[3]) , it fail to change the object's type to a reference, so it get a crash when the array deal the reference as a object. it is a security problem? my english is soso and hope you can understand. Test script: --------------- <?php class TestX { var $i; } class TestY { var $A = array(); function __construct() { $obj = new TestX(2); $this->A[3] = $obj; $this->A[3] = &$this->A[2]; } } $before = new TestY(); //var_dump($before); $ser = serialize($before); ?> Expected result: ---------------- object(TestY)#1 (1) { ["A"]=> array(2) { [3]=> &NULL [2]=> &NULL } } Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. 0x0000000000000c08 in ?? () (gdb) bt full #0 0x0000000000000c08 in ?? () No symbol table info available. #1 0x0000000000648af4 in php_var_serialize_intern (buf=0x7fffffffa820, struc=0x7ffff385eca0, var_hash=0x7ffff3803040) at /root/Desktop/php-src/ext/standard/var.c:847 serialized_data = 0x0 serialized_length = 4245278497 retval = { value = { lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = { w1 = 0, w2 = 0 } }, u1 = { v = { type = 72 'H', type_flags = 166 '\246', const_flags = 255 '\377', reserved = 255 '\377' ---Type <return> to continue, or q <return> to quit--- }, type_info = 4294944328 }, u2 = { var_flags = 32767, next = 32767, cache_slot = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767, access_flags = 32767 } } fname = { value = { lval = 4245278497, dval = 2.0974462623962614e-314, counted = 0xfd09cf21, str = 0xfd09cf21, arr = 0xfd09cf21, obj = 0xfd09cf21, res = 0xfd09cf21, ref = 0xfd09cf21, ast = 0xfd09cf21, zv = 0xfd09cf21, ptr = 0xfd09cf21, ce = 0xfd09cf21, func = 0xfd09cf21, ww = { w1 = 4245278497, ---Type <return> to continue, or q <return> to quit--- w2 = 0 } }, u1 = { v = { type = 60 '<', type_flags = 39 '\'', const_flags = 244 '\364', reserved = 3 '\003' }, type_info = 66332476 }, u2 = { var_flags = 0, next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0 } } res = <optimized out> ce = <optimized out> myht = <optimized out> #2 0x0000000000648f52 in php_var_serialize_intern (buf=0x7fffffffa820, struc=0x7ffff3857338, var_hash=0x7ffff3803040) at /root/Desktop/php-src/ext/standard/var.c:944 _z = 0x7ffff385eca0 _p = 0x7ffff385eca0 _end = 0x7ffff385ece0 key = <optimized out> ---Type <return> to continue, or q <return> to quit--- data = 0x7ffff385eca0 index = <optimized out> i = <optimized out> incomplete_class = 0 '\000' myht = <optimized out> #3 0x0000000000648f52 in php_var_serialize_intern (buf=0x7fffffffa820, struc=0x7ffff3814180, var_hash=0x7ffff3803040) at /root/Desktop/php-src/ext/standard/var.c:944 _z = 0x7ffff3857338 _p = 0x7ffff385eb60 _end = 0x7ffff385eb80 key = <optimized out> data = 0x7ffff3857338 index = <optimized out> i = <optimized out> incomplete_class = 0 '\000' myht = <optimized out> #4 0x000000000064cba8 in php_var_serialize_intern (var_hash=<optimized out>, struc=<optimized out>, buf=0x7fffffffa820, buf@entry=0x7fffffffa7e0) at /root/Desktop/php-src/ext/standard/var.c:968 No locals. #5 php_var_serialize (buf=buf@entry=0x7fffffffa820, struc=<optimized out>, data=data@entry=0x7fffffffa818) at /root/Desktop/php-src/ext/standard/var.c:966 No locals. #6 0x000000000064cc54 in zif_serialize (execute_data=<optimized out>, return_value=0x7ffff3814100) at /root/Desktop/php-src/ext/standard/var.c:984 struc = 0x7ffff3814180 var_hash = 0x7ffff3803040 buf = { s = 0x7ffff3874300, a = 231 } #7 0x0000000000727abd in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /root/Desktop/php-src/Zend/zend_vm_execute.h:640 call = 0x7ffff3814120 fbc = <optimized out> ret = <optimized out> #8 0x000000000070eb1b in execute_ex (ex=<optimized out>) at /root/Desktop/php-src/Zend/zend_vm_execute.h:423 ---Type <return> to continue, or q <return> to quit--- orig_opline = 0x7ffff387f000 orig_execute_data = 0x0 #9 0x000000000076ea07 in zend_execute (op_array=0x7ffff387f000, op_array@entry=0x7ffff385eae0, return_value=return_value@entry=0x7ffff3814030) at /root/Desktop/php-src/Zend/zend_vm_execute.h:467 execute_data = 0x7ffff3814030 #10 0x00000000006d0be4 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff3814030, retval@entry=0x0, file_count=file_count@entry=3) at /root/Desktop/php-src/Zend/zend.c:1427 files = <error reading variable files (Attempt to dereference a generic pointer.)> i = 1 file_handle = 0x7fffffffce50 op_array = 0x7ffff385eae0 #11 0x0000000000674080 in php_execute_script (primary_file=primary_file@entry=0x7fffffffce50) at /root/Desktop/php-src/main/main.c:2487 realfile = "/root/Desktop/crashes/crashes.2016-03-14-08_18_19/test1.php\000\000\000\000\000(\000\000\000\000\000\000\000\a\000\000\000\000\000\000\000`\000\000\000\000\000\000\000\220\000\000\000\000\000\000\000\a\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\061\000\000\000\377\177\000\000\000\000\000\000\000\000\000\000[\000\000\000n", '\000' <repeats 15 times>, "n", '\000' <repeats 19 times>, "w\000\000\000|\000\000\000(\000\000\000\000\000\000\000\000<\312\366\377\177\000\000`\000\000\000\000\000\000\000"... __orig_bailout = 0x7fffffffcec0 __bailout = {{ __jmpbuf = {0, 5509280956322737466, 15629472, 12167384, 1, 140737488347224, 5509280959705443642, -5509280140708876998}, __mask_was_saved = 0, __saved_mask = { __val = {0, 0, 0, 0, 0, 0, 15362560, 15415648, 0, 0, 2, 22, 64, 2, 0, 48} } }} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = { handle = { fd = 0, fp = 0x0, stream = { handle = 0x0, isatty = 0, mmap = { ---Type <return> to continue, or q <return> to quit--- len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0 }, reader = 0x0, fsizer = 0x0, closer = 0x0 } }, filename = 0x0, opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000' } append_file = { handle = { fd = 0, fp = 0x0, stream = { handle = 0x0, isatty = 0, mmap = { len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0 ---Type <return> to continue, or q <return> to quit--- }, reader = 0x0, fsizer = 0x0, closer = 0x0 } }, filename = 0x0, opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000' } old_cwd = 0x7fffffffa970 "" retval = 0 #12 0x0000000000770624 in do_cli (argc=2, argv=0xee7c50) at /root/Desktop/php-src/sapi/cli/php_cli.c:974 __orig_bailout = 0x7fffffffe060 __bailout = {{ __jmpbuf = {15415648, 5509280957797559610, 0, 0, 0, 140737488347224, 5509280956320640314, -5509280284273218246}, __mask_was_saved = 0, __saved_mask = { __val = {12047014, 12047038, 11943101, 11943122, 12047051, 12047071, 12047088, 12047652, 12047109, 12047123, 12047145, 12047164, 12047191, 12047220, 0, 0} } }} c = <optimized out> file_handle = { handle = { fd = -209231856, fp = 0x7ffff3876010, stream = { handle = 0x7ffff3876010, isatty = 0, mmap = { ---Type <return> to continue, or q <return> to quit--- len = 260, pos = 0, map = 0x7ffff7fed000, buf = 0x7ffff7fed000 <error: Cannot access memory at address 0x7ffff7fed000>, old_handle = 0xfeaee0, old_closer = 0x6ec1e0 <zend_stream_stdio_closer> }, reader = 0x6ec210 <zend_stream_stdio_reader>, fsizer = 0x6ec180 <zend_stream_stdio_fsizer>, closer = 0x6ec100 <zend_stream_mmap_closer> } }, filename = 0xee7ca0 "/root/Desktop/crashes/crashes.2016-03-14-08_18_19/test1.php", opened_path = 0x0, type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000' } behavior = <optimized out> reflection_what = 0x0 request_started = 1 exit_status = 0 php_optarg = 0x0 php_optind = 2 exec_direct = <optimized out> exec_run = <optimized out> exec_begin = <optimized out> exec_end = <optimized out> arg_free = <optimized out> arg_excp = <optimized out> script_file = <optimized out> translated_path = 0xfeb310 "/root/Desktop/crashes/crashes.2016-03-14-08_18_19/test1.php" ---Type <return> to continue, or q <return> to quit--- lineno = 1 param_error = 0x0 #13 0x000000000042a7c8 in main (argc=2, argv=0xee7c50) at /root/Desktop/php-src/sapi/cli/php_cli.c:1345 __orig_bailout = 0x0 __bailout = {{ __jmpbuf = {15415648, 5509280957797559610, 0, 0, 0, 140737488347224, 5509280955867655482, -5509280384737678022}, __mask_was_saved = 0, __saved_mask = { __val = {4131212846, 4294967295, 140737330963030, 140737330106872, 140737353968088, 140737333836888, 140737330552649, 0, 140737330537295, 0, 0, 72704, 72752, 4352, 18446744073709547520, 1} } }} c = <optimized out> exit_status = 0 module_started = 1 sapi_started = 1 php_optarg = 0x0 php_optind = 1 use_extended_info = 0 ini_path_override = 0x0 ini_entries = 0xee7f10 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n" ini_entries_len = 0 ini_ignore = 0 sapi_module = <optimized out>