PHP :: Bug #74300 :: unserialize accepts two plus/minus signs for float number exponent part

Bug #74300	unserialize accepts two plus/minus signs for float number exponent part
Submitted:	2017-03-23 14:48 UTC	Modified:	-
From:	xKhorasan+php at gmail dot com	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	7.0Git-2017-03-23 (Git)	OS:	All
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	xKhorasan+php at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2017-03-23 14:48 UTC] xKhorasan+php at gmail dot com

Description:
------------
tested PHP version: PHP 7.0.18-dev (macOS Sierra 10.12.3)
configure option: --without-iconv

According to `ext/standard/var_unsrializer.re`, serialized float number is defined as `"d:" (iv | nv | nvexp) ";"`.
https://github.com/php/php-src/blob/fd4025069d561b4196851c2e9a85b5bfdfe1465a/ext/standard/var_unserializer.re#L731

And `nvexp` is defined as following:
> iv = [+-]? [0-9]+;
> nv = [+-]? ([0-9]* "." [0-9]+|[0-9]+ "." [0-9]*);
> nvexp = (iv | nv) [eE] [+-]? iv;
https://github.com/php/php-src/blob/fd4025069d561b4196851c2e9a85b5bfdfe1465a/ext/standard/var_unserializer.re#L320-L322

Since `nvexp` exponent part, i.e. `[+-]? iv`, contains optional plus/minus sign (`[+-]?`) and `iv`, and `iv` may contain plus/minus sign, `nvexp` may contain two plus/minus signs for exponent part.

In addition, if exponent part of serialized float number contains two plus/minus signs, the information of the exponent part is not used during unserializing.


Test script:
---------------
<?php
error_reporting(E_ALL);
var_dump(unserialize('d:2e+2;'));
var_dump(unserialize('d:2e++2;'));
var_dump(unserialize('d:2e+++2;'));


Expected result:
----------------
float(200)

Notice: unserialize(): Error at offset 0 of 8 bytes in %s on line %d
bool(false)

Notice: unserialize(): Error at offset 0 of 9 bytes in %s on line %d
bool(false)


Actual result:
--------------
float(200)
float(2)

Notice: unserialize(): Error at offset 0 of 9 bytes in %s on line %d
bool(false)

Patches

Pull Requests

Pull requests:

Fixed bug #74300 (php-src/2429)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-03-23 21:07 UTC] nikic@php.net

Automatic comment on behalf of xKhorasan@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6a1d4cd47a6ff20ae1619e0f8ec6de1eaa869258
Log: Fixed bug #74300

[2017-03-23 21:07 UTC] nikic@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC