|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-02-14 21:35 UTC] stas@php.net
-Status: Open
+Status: Not a bug
-Type: Security
+Type: Bug
[2017-02-14 21:35 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Sep 07 23:01:27 2024 UTC |
Description: ------------ It seems like this is a properly handled situation in 7.1.2RC1, but in older versions, there is no Fatal Error making me question if there may be a problem with older PHP (such as version PHP 5.6.17 (cli) (built: Jan 8 2016 10:27:48)). Unserializing some crafted data leads to this error: php -r "unserialize('a:1:{i:0;O:1:\"H\":01{}i:0;O:1:\"a\":01{yi:0;O:1:\"a\":3000000000{}i:');" PHP Fatal error: Possible integer overflow in memory allocation (3000000001 * 32 + 32) in Command line code on line 1 I am submitting this as a security bug so that someone with better knowledge of PHP internals can make sure this is safe behavior. Test script: --------------- php -r "unserialize('a:1:{i:0;O:1:\"H\":01{}i:0;O:1:\"a\":01{yi:0;O:1:\"a\":3000000000{}i:');"