php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17728 unserialize fails to decode object data
Submitted: 2002-06-12 10:37 UTC Modified: 2002-10-14 19:26 UTC
Votes:16
Avg. Score:4.8 ± 0.5
Reproduced:15 of 15 (100.0%)
Same Version:9 (60.0%)
Same OS:5 (33.3%)
From: romans at void dot lv Assigned:
Status: No Feedback Package: Strings related
PHP Version: 4.3.0-dev + ZE2 OS: linux 2.4
Private report: No CVE-ID: None
 [2002-06-12 10:37 UTC] romans at void dot lv
Actually bugreport is about 4.3.0 (also tried CVS) with Zend2. 
I was trying to restore object data from session, and php segfaults, when i do session_start for the seccond time.

I guess it's unserialize's fault.

Here is a script causing the problem:

<?
class Test {
   var $a;
}
session_start();
var_dump($_SESSION);
echo "session started";
$x = new Test;
session_register('x');
var_dump($_SESSION);
?>

session data looks like this:
x|O:4:"test":1:{s:1:"a";N;}


Here is a gdb backtrace

(gdb) bt
#0  0x8170b51 in ?? () at eval.c:88
#1  0x40385c10 in _object_init_ex (arg=0x8171204, class_type=0x817bdac,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/Zend/zend_API.c:610
#2  0x40332b8e in php_var_unserialize (rval=0xbfffd898, p=0xbfffd89c,
    max=0x817790f "", var_hash=0xbfffd8a0, tsrm_ls=0x812fe38)
    at var_unserializer.re:196
#3  0x402dae00 in ps_srlzr_decode_php (
    val=0x81778f4 "x|O:4:\"test\":1:{s:1:\"a\";N;}", vallen=27,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/ext/session/session.c:412
#4  0x402db131 in php_session_decode (
    val=0x81778f4 "x|O:4:\"test\":1:{s:1:\"a\";N;}", vallen=27,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/ext/session/session.c:462
#5  0x402db454 in php_session_initialize (tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/ext/session/session.c:542
#6  0x402dc6b6 in php_session_start (tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/ext/session/session.c:898
#7  0x402de23c in zif_session_start (ht=0, return_value=0x8170b3c,
    this_ptr=0x0, return_value_used=0, tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/ext/session/session.c:1324
#8  0x4039d6fe in execute (op_array=0x817788c, tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/Zend/zend_execute.c:2107
#9  0x40384538 in zend_execute_scripts (type=8, tsrm_ls=0x812fe38, retval=0x0,
    file_count=3) at /usr/src/x-apache/php4/Zend/zend.c:833
---Type <return> to continue, or q <return> to quit---
#10 0x40357e4f in php_execute_script (primary_file=0xbffff9b0,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/main/main.c:1376
#11 0x403a7313 in php_output_filter (f=0x8168020, bb=0x8168270)
    at /usr/src/x-apache/php4/sapi/apache2filter/sapi_apache2.c:405
#12 0x808282f in ap_pass_brigade (next=0x8168020, bb=0x8168118)
    at util_filter.c:534
#13 0x8088285 in default_handler (r=0x8166b98) at core.c:3249
#14 0x8079379 in ap_run_handler (r=0x8166b98) at config.c:193
#15 0x807978a in ap_invoke_handler (r=0x8166b98) at config.c:373
#16 0x806acb2 in ap_process_request (r=0x8166b98) at http_request.c:261
#17 0x806762d in ap_process_http_connection (c=0x8162448) at http_core.c:291
#18 0x80810ad in ap_run_process_connection (c=0x8162448) at connection.c:85
#19 0x80812f3 in ap_process_connection (c=0x8162448, csd=0x8162378)
    at connection.c:207
#20 0x80781c8 in child_main (child_num_arg=0) at prefork.c:671
#21 0x807826b in make_child (s=0x812e400, slot=0) at prefork.c:711
#22 0x807833d in startup_children (number_to_start=5) at prefork.c:783
#23 0x807865a in ap_mpm_run (_pconf=0x80aee20, plog=0x80e6f00, s=0x812e400)
    at prefork.c:999
#24 0x807cd49 in main (argc=2, argv=0xbffffbf4) at main.c:632
#25 0x40173f5c in __libc_start_main (main=0x807c744 <main>, argc=2,
    ubp_av=0xbffffbf4, init=0x805e73c <_init>, fini=0x8091a24 <_fini>,
    rtld_fini=0x4000ce30 <_dl_fini>, stack_end=0xbffffbec)

sorry, but no additional information about globals / arguments. 

Thank you.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-12 10:40 UTC] romans at void dot lv
.
 [2002-06-13 05:00 UTC] tthiery at yahoo dot de
Same problem in win32/apache 1.3.22

function unserialize fails with classes.

code:
class A {
 var $a;
}

$a = new A();
$b = $a
$b->a = 4;
echo $a->a; //correct ze2: output = 4

$arr[0] = $a;
$arr[1] = $b;
$arr[1]->a = 5

echo $arr[0]->a; //correct ze2: output = 5

$str = serialize($arr);
delete $a;
$arr = null;
$arr = unserialize($str);  // ----------> crash

Thanx and good luck
 [2002-06-19 16:58 UTC] ifju at wicca dot hu
This problem has also occured in version 4.2.0. I've experienced it on FreeBSD 4.5-RELEASE-p4
 [2002-09-19 13:26 UTC] kalowsky@php.net
Can you try the patch posted in Bug #19493 and tell us if this works for you?  
 [2002-10-14 19:26 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 02 11:01:28 2024 UTC