|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25378 Invalid data passed to unserialize() causes segfault
Submitted: 2003-09-03 05:21 UTC Modified: 2003-09-06 20:56 UTC
From: skissane at ics dot mq dot edu dot au Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.3.4-dev, 5.0.0b2-dev; 5CVS-2003-09-06-0330 OS: *
Private report: No CVE-ID:
 [2003-09-03 05:21 UTC] skissane at ics dot mq dot edu dot au
Invalid string data passed to unserialize function causes segfault.

Reproduce code:
<? unserialize("s:-1:\"\";"); ?>

Expected result:
No segfault.
Raise an error about data passed to unserialize being invalid.

Actual result:
#0  0x4207c45c in memcpy () from /lib/tls/
#1  0x081192e0 in _estrndup (s=0xbfffcb04 "\024\220\035\b", length=136191999) at /home/skissane/php-4.3.3/Zend/zend_alloc.c:387
#2  0x080dae02 in php_var_unserialize (rval=0xbfffcb04, p=0xbfffcae4, max=0x81d8ffc "", var_hash=0xbfffcae8)
    at /home/skissane/php-4.3.3/ext/standard/var_unserializer.c:549
#3  0x080d2d5c in zif_unserialize (ht=1, return_value=0x81d9014, this_ptr=0x0, return_value_used=0) at /home/skissane/php-4.3.3/ext/standard/var.c:671
#4  0x081335ea in execute (op_array=0x81dcec4) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1616
#5  0x08126d0d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/skissane/php-4.3.3/Zend/zend.c:885
#6  0x081016d7 in php_execute_script (primary_file=0xbfffefc0) at /home/skissane/php-4.3.3/main/main.c:1723
#7  0x081381f3 in main (argc=2, argv=0xbffff044) at /home/skissane/php-4.3.3/sapi/cli/php_cli.c:818
#8  0x420156a4 in __libc_start_main () from /lib/tls/


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-09-03 11:27 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

 [2003-09-06 01:55 UTC] skissane at ics dot mq dot edu dot au
The fix in the CVS only partially solves the problem. This reproduce script still causes a segfault:

echo unserialize("s:99999999:\"\";");

The problem is that the unserialize code is not checking that the length of the string given in the argument to s is less than the length of the string given as the argument to unserialize. Large enough numbers return random junk from memory; even larger numbers segfault. Negative numbers = very large positive numbers in 2s complement arithmetic!
 [2003-09-06 20:56 UTC]
Adding more checks for this is pointless.
Just enable the memory limit with --enable-memory-limit configure option and set the "memory_limit" in your php.ini to a reasonable amount.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Thu Oct 08 20:01:29 2015 UTC