|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-29 08:48 UTC] stas@php.net
-Type: Security
+Type: Bug
[2021-08-11 09:50 UTC] cmb@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: cmb
[2021-08-11 09:50 UTC] cmb@php.net
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun May 11 12:01:27 2025 UTC |
Description: ------------ Wrong serialized string causes infinite recursion and finally stack exhaustion, when we try to deserialize "DOMConfiguration" class. Test script: --------------- <?php $x = 'O:16:"DOMConfiguration":1:{s:1:"A";r:1;}'; var_dump(unserialize($x)); Expected result: ---------------- object(DOMConfiguration)#1 (1) { ["A"]=> *RECURSION* } Actual result: -------------- object(DOMConfiguration)#1 (1) { ["A"]=> object(DOMConfiguration)#1 (1) { ["A"]=> object(DOMConfiguration)#1 (1) { ["A"]=> object(DOMConfiguration)#1 (1) { ["A"]=> object(DOMConfiguration)#1 (1) { .... --------------------------- ASan output: ==23077==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdf18a8e58 (pc 0x7ff155350bd6 bp 0x7ffdf18a96d0 sp 0x7ffdf18a8e60 T0) #0 0x7ff155350bd5 in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbd5) #1 0x16bbb2f in memset /usr/include/x86_64-linux-gnu/bits/string3.h:90 #2 0x16bbb2f in xbuf_format_converter /home/operac/php-src-56/php-src/main/spprintf.c:789 #3 0x16c4011 in vspprintf /home/operac/php-src-56/php-src/main/spprintf.c:821 #4 0x1699807 in php_printf /home/operac/php-src-56/php-src/main/main.c:756 #5 0x14e9e96 in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:67 #6 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701 #7 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146 #8 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82 #9 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701 #10 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146 #11 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82 #12 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701 #13 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146 #14 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82 #15 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701 #16 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146 #17 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82 #18 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701 #19 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146 #20 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82 #21 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701 #22 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146 #23 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82 #24 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701 #25 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146 #26 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82 #27 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701 ... SUMMARY: AddressSanitizer: stack-overflow ??:0 __asan_memset