|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-01-13 12:23 UTC] cmb@php.net
-Summary: php crashed when call unserizlize & var_dump
+Summary: php crashed when call unserialize & var_dump
[2017-01-16 06:58 UTC] stas@php.net
-Summary: php crashed when call unserialize & var_dump
+Summary: var_dump recursion protection does not work for
objects which create debug info
-Type: Security
+Type: Bug
[2017-01-16 06:58 UTC] stas@php.net
[2017-01-16 11:16 UTC] nikic@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: nikic
[2017-01-16 11:16 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Jul 16 09:01:33 2025 UTC |
Description: ------------ The cli/php crashed when call unserizlize & var_dump, the gdb backtrace is below. ➜ cli git:(master) ✗ ./php5630RC1git -n -v PHP 5.6.30RC1 (cli) (built: Jan 11 2017 17:54:55) Copyright (c) 1997-2016 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies ➜ cli git:(master) ✗ gdb ./php5630RC1git ... (gdb) set args ./crash.php ... Program received signal SIGSEGV, Segmentation fault. xbuf_format_converter (xbuf=xbuf@entry=0x7fffff7ff830, fmt=fmt@entry=0xb7cbaa "%s\n%s: %s in %s on line %d\n%s", ap=ap@entry=0x7fffff7ff880) at /home/varsleak/github/php-src/main/spprintf.c:204 warning: Source file is more recent than executable. 204 (gdb) backtrace full 5 #0 xbuf_format_converter (xbuf=xbuf@entry=0x7fffff7ff830, fmt=fmt@entry=0xb7cbaa "%s\n%s: %s in %s on line %d\n%s", ap=ap@entry=0x7fffff7ff880) at /home/varsleak/github/php-src/main/spprintf.c:204 s = 0x0 s_len = <error reading variable s_len (Cannot access memory at address 0x7fffff7fefa4)> free_zcopy = <error reading variable free_zcopy (Cannot access memory at address 0x7fffff7fefa8)> zvp = <optimized out> zcopy = <error reading variable zcopy (Cannot access memory at address 0x7fffff7fefb0)> min_width = 0 precision = 0 adjust = <optimized out> pad_char = <optimized out> prefix_char = <optimized out> fp_num = <optimized out> i_num = 0 ui_num = 0 num_buf = <error reading variable num_buf (Cannot access memory at address 0x7fffff7fefe0)> char_buf = <error reading variable char_buf (Cannot access memory at address 0x7fffff7fefd0)> lconv = 0x0 modifier = <optimized out> alternate_form = <optimized out> print_sign = <optimized out> print_blank = <optimized out> adjust_precision = <optimized out> adjust_width = <optimized out> is_negative = <error reading variable is_negative (Cannot access memory at address 0x7fffff7fefac)> #1 0x0000000000698349 in vspprintf (pbuf=pbuf@entry=0x7fffff7ff878, max_len=max_len@entry=0, format=format@entry=0xb7cbaa "%s\n%s: %s in %s on line %d\n%s", ap=ap@entry=0x7fffff7ff880) at /home/varsleak/github/php-src/main/spprintf.c:821 xbuf = {c = 0x0, len = 0, a = 0} #2 0x00000000006902dd in php_printf (format=format@entry=0xb7cbaa "%s\n%s: %s in %s on line %d\n%s") at /home/varsleak/github/php-src/main/main.c:756 args = <error reading variable args (Attempt to dereference a generic pointer.)> ret = <optimized out> buffer = 0x696f30 <xbuf_format_converter+1456> "D\205$$L\211s\btF\213D$TA9\307~=H\213;D\211\372)\302H\205\377\017\204j\n" size = <optimized out> #3 0x00000000006915cf in php_error_cb (type=2, error_filename=<optimized out>, error_lineno=11, format=<optimized out>, args=<optimized out>) at /home/varsleak/github/php-src/main/main.c:1189 prepend_string = 0x0 append_string = <optimized out> error_type_str = <optimized out> buffer = 0x1fbf010 "var_dump(): Invalid State Error" buffer_len = 31 display = <optimized out> #4 0x00000000006f87dc in zend_error (type=type@entry=2, format=format@entry=0xb7cbc5 "%s") at /home/varsleak/github/php-src/Zend/zend.c:1142 args = <error reading variable args (Attempt to dereference a generic pointer.)> usr_copy = <error reading variable usr_copy (Attempt to dereference a generic pointer.)> params = <optimized out> retval = 0x0 z_error_type = 0x7fffff7ffc68 z_error_message = 0x0 z_error_filename = 0x13 z_error_lineno = 0x1 z_context = 0x2 error_filename = 0x7ffff7fb8f80 "/home/varsleak/php569rc/bin/crash.php" error_lineno = <optimized out> orig_user_error_handler = 0x11 in_compilation = <optimized out> saved_class_entry = <optimized out> (More stack frames follow...) I replace var_dump with print_r,but the program into the death cycle. Test script: --------------- <?php $data = 'O:9:"DOMEntity":1:0S:19:"\00Exception\00previous";R:1;}'; $unstr = unserialize($data); var_dump($unstr); // print_r($unstr); ?>