PHP :: Bug #17728 :: unserialize fails to decode object data

Bug #17728

unserialize fails to decode object data

Submitted:

2002-06-12 10:37 UTC

Modified:

2002-10-14 19:26 UTC

Votes:	16
Avg. Score:	4.8 ± 0.5
Reproduced:	15 of 15 (100.0%)
Same Version:	9 (60.0%)
Same OS:	5 (33.3%)

From:

romans at void dot lv

Assigned:

Status:

No Feedback

Package:

Strings related

PHP Version:

4.3.0-dev + ZE2

OS:

linux 2.4

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	romans at void dot lv
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-06-12 10:37 UTC] romans at void dot lv

Actually bugreport is about 4.3.0 (also tried CVS) with Zend2. 
I was trying to restore object data from session, and php segfaults, when i do session_start for the seccond time.

I guess it's unserialize's fault.

Here is a script causing the problem:

<?
class Test {
   var $a;
}
session_start();
var_dump($_SESSION);
echo "session started";
$x = new Test;
session_register('x');
var_dump($_SESSION);
?>

session data looks like this:
x|O:4:"test":1:{s:1:"a";N;}


Here is a gdb backtrace

(gdb) bt
#0  0x8170b51 in ?? () at eval.c:88
#1  0x40385c10 in _object_init_ex (arg=0x8171204, class_type=0x817bdac,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/Zend/zend_API.c:610
#2  0x40332b8e in php_var_unserialize (rval=0xbfffd898, p=0xbfffd89c,
    max=0x817790f "", var_hash=0xbfffd8a0, tsrm_ls=0x812fe38)
    at var_unserializer.re:196
#3  0x402dae00 in ps_srlzr_decode_php (
    val=0x81778f4 "x|O:4:\"test\":1:{s:1:\"a\";N;}", vallen=27,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/ext/session/session.c:412
#4  0x402db131 in php_session_decode (
    val=0x81778f4 "x|O:4:\"test\":1:{s:1:\"a\";N;}", vallen=27,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/ext/session/session.c:462
#5  0x402db454 in php_session_initialize (tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/ext/session/session.c:542
#6  0x402dc6b6 in php_session_start (tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/ext/session/session.c:898
#7  0x402de23c in zif_session_start (ht=0, return_value=0x8170b3c,
    this_ptr=0x0, return_value_used=0, tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/ext/session/session.c:1324
#8  0x4039d6fe in execute (op_array=0x817788c, tsrm_ls=0x812fe38)
    at /usr/src/x-apache/php4/Zend/zend_execute.c:2107
#9  0x40384538 in zend_execute_scripts (type=8, tsrm_ls=0x812fe38, retval=0x0,
    file_count=3) at /usr/src/x-apache/php4/Zend/zend.c:833
---Type <return> to continue, or q <return> to quit---
#10 0x40357e4f in php_execute_script (primary_file=0xbffff9b0,
    tsrm_ls=0x812fe38) at /usr/src/x-apache/php4/main/main.c:1376
#11 0x403a7313 in php_output_filter (f=0x8168020, bb=0x8168270)
    at /usr/src/x-apache/php4/sapi/apache2filter/sapi_apache2.c:405
#12 0x808282f in ap_pass_brigade (next=0x8168020, bb=0x8168118)
    at util_filter.c:534
#13 0x8088285 in default_handler (r=0x8166b98) at core.c:3249
#14 0x8079379 in ap_run_handler (r=0x8166b98) at config.c:193
#15 0x807978a in ap_invoke_handler (r=0x8166b98) at config.c:373
#16 0x806acb2 in ap_process_request (r=0x8166b98) at http_request.c:261
#17 0x806762d in ap_process_http_connection (c=0x8162448) at http_core.c:291
#18 0x80810ad in ap_run_process_connection (c=0x8162448) at connection.c:85
#19 0x80812f3 in ap_process_connection (c=0x8162448, csd=0x8162378)
    at connection.c:207
#20 0x80781c8 in child_main (child_num_arg=0) at prefork.c:671
#21 0x807826b in make_child (s=0x812e400, slot=0) at prefork.c:711
#22 0x807833d in startup_children (number_to_start=5) at prefork.c:783
#23 0x807865a in ap_mpm_run (_pconf=0x80aee20, plog=0x80e6f00, s=0x812e400)
    at prefork.c:999
#24 0x807cd49 in main (argc=2, argv=0xbffffbf4) at main.c:632
#25 0x40173f5c in __libc_start_main (main=0x807c744 <main>, argc=2,
    ubp_av=0xbffffbf4, init=0x805e73c <_init>, fini=0x8091a24 <_fini>,
    rtld_fini=0x4000ce30 <_dl_fini>, stack_end=0xbffffbec)

sorry, but no additional information about globals / arguments. 

Thank you.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-06-12 10:40 UTC] romans at void dot lv

[2002-06-13 05:00 UTC] tthiery at yahoo dot de

Same problem in win32/apache 1.3.22

function unserialize fails with classes.

code:
class A {
 var $a;
}

$a = new A();
$b = $a
$b->a = 4;
echo $a->a; //correct ze2: output = 4

$arr[0] = $a;
$arr[1] = $b;
$arr[1]->a = 5

echo $arr[0]->a; //correct ze2: output = 5

$str = serialize($arr);
delete $a;
$arr = null;
$arr = unserialize($str);  // ----------> crash

Thanx and good luck

[2002-06-19 16:58 UTC] ifju at wicca dot hu

This problem has also occured in version 4.2.0. I've experienced it on FreeBSD 4.5-RELEASE-p4

[2002-09-19 13:26 UTC] kalowsky@php.net

Can you try the patch posted in Bug #19493 and tell us if this works for you?

[2002-10-14 19:26 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Feb 18 07:01:31 2025 UTC