php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25378 Invalid data passed to unserialize() causes segfault
Submitted: 2003-09-03 05:21 UTC Modified: 2003-09-06 20:56 UTC
From: skissane at ics dot mq dot edu dot au Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.3.4-dev, 5.0.0b2-dev; 5CVS-2003-09-06-0330 OS: *
Private report: No CVE-ID:
 [2003-09-03 05:21 UTC] skissane at ics dot mq dot edu dot au
Description:
------------
Invalid string data passed to unserialize function causes segfault.

Reproduce code:
---------------
<? unserialize("s:-1:\"\";"); ?>


Expected result:
----------------
No segfault.
Raise an error about data passed to unserialize being invalid.

Actual result:
--------------
#0  0x4207c45c in memcpy () from /lib/tls/libc.so.6
#1  0x081192e0 in _estrndup (s=0xbfffcb04 "\024\220\035\b", length=136191999) at /home/skissane/php-4.3.3/Zend/zend_alloc.c:387
#2  0x080dae02 in php_var_unserialize (rval=0xbfffcb04, p=0xbfffcae4, max=0x81d8ffc "", var_hash=0xbfffcae8)
    at /home/skissane/php-4.3.3/ext/standard/var_unserializer.c:549
#3  0x080d2d5c in zif_unserialize (ht=1, return_value=0x81d9014, this_ptr=0x0, return_value_used=0) at /home/skissane/php-4.3.3/ext/standard/var.c:671
#4  0x081335ea in execute (op_array=0x81dcec4) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1616
#5  0x08126d0d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/skissane/php-4.3.3/Zend/zend.c:885
#6  0x081016d7 in php_execute_script (primary_file=0xbfffefc0) at /home/skissane/php-4.3.3/main/main.c:1723
#7  0x081381f3 in main (argc=2, argv=0xbffff044) at /home/skissane/php-4.3.3/sapi/cli/php_cli.c:818
#8  0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-09-03 11:27 UTC] sniper@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 [2003-09-06 01:55 UTC] skissane at ics dot mq dot edu dot au
The fix in the CVS only partially solves the problem. This reproduce script still causes a segfault:

echo unserialize("s:99999999:\"\";");

The problem is that the unserialize code is not checking that the length of the string given in the argument to s is less than the length of the string given as the argument to unserialize. Large enough numbers return random junk from memory; even larger numbers segfault. Negative numbers = very large positive numbers in 2s complement arithmetic!
 [2003-09-06 20:56 UTC] sniper@php.net
Adding more checks for this is pointless.
Just enable the memory limit with --enable-memory-limit configure option and set the "memory_limit" in your php.ini to a reasonable amount.

 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 02:02:10 2014 UTC