php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14082 unserialize have problems with negative numbers
Submitted: 2001-11-16 08:20 UTC Modified: 2001-11-16 13:13 UTC
From: alberty at neptunelabs dot com Assigned:
Status: Closed Package: Variables related
PHP Version: 4.0CVS-2001-11-16 OS: i686-pc-linux-gnu
Private report: No CVE-ID: None
 [2001-11-16 08:20 UTC] alberty at neptunelabs dot com
Hi,

i have detect two annoyingly bugs ;-) with serialize/unserialize.

The first bug indicate that unserialize can't work with negative
integer numbers.

The second problem brings php to crash! Unserialize
crash if you manipulate the count of expecting array
vars.

Bug 1:

<?php
// Results: 'Warning: unserialize() failed at offset 13 of 39 bytes'
//          and an empty result string, but not false 
// because $foo['a'] is -1

error_reporting(2047);
$foo['a']=(int)-1;
$foo['b']=(string)'Paris';
$bar=serialize($foo);
if ($bar!=false){
	echo $bar;
	$nop=unserialize($bar);
	print_r($nop);
}
?>


---------------

Bug 2:

<?php
// Result: PHP crash, because the array number is smaller than serialized string

error_reporting(2047);
$ser_string='a:1:{s:1:"a";i:1000;s:1:"b";s:5:"Paris";}';
//             ^- actually 2
$unser_string=unserialize($ser_string);
?>

I have tried to make a bt, but gdb notify no fault.
In debug mode some of my script warns with this:
"Warning: String is not zero-terminated (source: ./zend_execute.c:449)"
but i think that is another problem.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-11-16 13:13 UTC] derick@php.net
Fixed in CVS

Derick
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Aug 12 15:01:24 2020 UTC