PHP :: Bug #80072 :: Cyclic unserialize in TMPVAR operand may leak

Bug #80072	Cyclic unserialize in TMPVAR operand may leak
Submitted:	2020-09-07 08:53 UTC	Modified:	2021-07-02 08:38 UTC
From:	nikic@php.net	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	8.0Git-2020-09-07 (Git)	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2020-09-07 08:53 UTC] nikic@php.net

Description:
------------
<?php
$s = 'O:8:"stdClass":1:{s:1:"x";r:1;}';
unserialize($s) % gc_collect_cycles();

This leaks the cyclic object, as we destroy TMPVAR operands with zval_ptr_dtor_nogc(). The unserialize() implementation manually registers a GC root for the return value, but the gc_collect_cycles() call here drops it again, because the cycle is not dead at the time of the call yet.

This is oss-fuzz #25441.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-07-02 08:38 UTC] nikic@php.net

Another reproducer without unserialize():

$a[]=&$a == $a=&$b > gc_collect_cycles();

[2021-07-02 13:30 UTC] git@php.net

Automatic comment on behalf of nikic
Revision: https://github.com/php/php-src/commit/52cf7ab8a27ace6fbff60674d7aeecf4adec1bc8
Log: Fix bug #80072: Root live tmpvars after GC

[2021-07-02 13:30 UTC] git@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC