php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74096 Unserialize Possible integer overflow in memory allocation
Submitted: 2017-02-14 21:28 UTC Modified: 2017-02-14 21:35 UTC
From: cyoung at tripwire dot com Assigned:
Status: Not a bug Package: *Programming Data Structures
PHP Version: 7.1.2RC1 OS: Linux (4.4.0-59-generic)
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cyoung at tripwire dot com
New email:
PHP Version: OS:

 

 [2017-02-14 21:28 UTC] cyoung at tripwire dot com
Description:
------------
It seems like this is a properly handled situation in 7.1.2RC1, but in older versions, there is no Fatal Error making me question if there may be a problem with older PHP (such as version PHP 5.6.17 (cli) (built: Jan  8 2016 10:27:48)).

Unserializing some crafted data leads to this error:
php -r "unserialize('a:1:{i:0;O:1:\"H\":01{}i:0;O:1:\"a\":01{yi:0;O:1:\"a\":3000000000{}i:');"
PHP Fatal error:  Possible integer overflow in memory allocation (3000000001 * 32 + 32) in Command line code on line 1

I am submitting this as a security bug so that someone with better knowledge of PHP internals can make sure this is safe behavior.

Test script:
---------------
php -r "unserialize('a:1:{i:0;O:1:\"H\":01{}i:0;O:1:\"a\":01{yi:0;O:1:\"a\":3000000000{}i:');"


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-02-14 21:35 UTC] stas@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2017-02-14 21:35 UTC] stas@php.net
Don't see an issue here. Looks to be intended behavior, and erroring out on bad data is ok.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC