|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27263 Unserialize crashes on multiple objects, stored in session explicitly
Submitted: 2004-02-15 13:31 UTC Modified: 2004-02-29 13:56 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: davojan at mail dot ru Assigned:
Status: Closed Package: Session related
PHP Version: 5CVS-2004-02-17 OS: *
Private report: No CVE-ID: None
 [2004-02-15 13:31 UTC] davojan at mail dot ru
PHP crashes on session_start() if object "foo" references to object "bar" and both "foo" and "bar" are put into session explicitly each into it's element.

The example below will work if we comment line:
$_SESSION['bar'] = $bar;
the only one "foo" is put to session explicitly and "bar" is also put, but as a member of "foo".

Reproduce code:
class foo {
	public $bar = NULL;
class bar {}
	$foo = new foo();
	$bar = new bar();
	$foo->bar = $bar;
	$_SESSION['foo'] = $foo;
	$_SESSION['bar'] = $bar;	// it will be all right, if we comment this

	session_start();	// crashing here
	echo "OK";

Expected result:

Actual result:
In browser:
"The page cannot be displayed"

In /var/log/httpd-error.log:
[Sun Feb 15 21:21:22 2004] [notice] child pid 230 exit signal Segmentation fault (11)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-16 17:38 UTC] davojan at mail dot ru
Sorry, but when I add --enable-debug to my configure the bug "dissapeared", the example script worked fine. The crashe takes place only in the debugless version, it's backtrace hardly can help you:

Program terminated with signal 10, Bus error.
.//usr/local/lib/php/20020429/ No such file or directory.
#0  0x2860f780 in ?? () from /usr/local/libexec/apache/
(gdb) bt
#0  0x2860f780 in ?? () from /usr/local/libexec/apache/
#1  0x8050416 in ap_clear_pool ()
#2  0x8050478 in ap_destroy_pool ()
#3  0x80503eb in ap_clear_pool ()
#4  0x8050478 in ap_destroy_pool ()
#5  0x805b190 in clean_parent_exit ()
#6  0x805d84d in standalone_main ()
#7  0x805dcab in main ()
#8  0x804fc39 in _start ()

It is a bad sign, it may mean buffer overflow anywhere in the program, i suppose. It may be difficult to find the bug. I'm ready to provide any help in catching it...
 [2004-02-16 21:59 UTC]
Nevermind, could reproduce. Only happens without --enable-debug! Here's the backtrace:

_efree Zend/zend_alloc.c:257
257             CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size);
(gdb) bt
#0  _efree (ptr=0x61775f5f) at Zend/zend_alloc.c:257
#1  0x4038b383 in _zval_dtor (zvalue=0x82b73c4) at Zend/zend_variables.c:45
#2  0x40384141 in _zval_ptr_dtor (zval_ptr=0xbfffcb00) at Zend/zend_execute_API.c:359
#3  0x4034a36b in php_var_unserialize (rval=0xbfffcb00, p=0xbfffcb04, max=0x82b630e "", var_hash=0xbfffcb08)
#4  0x402b7f29 in ps_srlzr_decode_php (val=0x61775f5f <Address 0x61775f5f out of bounds>, vallen=50)
    at ext/session/session.c:502
#5  0x402b81dd in php_session_decode (val=0x82b62dc "foo|O:3:\"foo\":1:{s:3:\"bar\";O:3:\"bar\":0:{}}bar|r:2;", 
    vallen=50) at ext/session/session.c:549
#6  0x402b8646 in php_session_initialize () at ext/session/session.c:730
#7  0x402b9a13 in php_session_start () at ext/session/session.c:1162
#8  0x402bb031 in zif_session_start (ht=0, return_value=0x82b6004, this_ptr=0x0, return_value_used=0)
    at ext/session/session.c:1601
#9  0x403a9c96 in zend_do_fcall_common_helper (execute_data=0xbfffced0, opline=0x82b5e14, op_array=0x82af144)
    at Zend/zend_execute.c:2642
#10 0x403a9dce in zend_do_fcall_handler (execute_data=0xbfffced0, opline=0x82b5e14, op_array=0x82af144)
    at Zend/zend_execute.c:2771
#11 0x403a68eb in execute (op_array=0x82af144) at Zend/zend_execute.c:1339
#12 0x4038cdfd in zend_execute_scripts (type=8, retval=0x0, file_count=3) at Zend/zend.c:1052
#13 0x4035ca96 in php_execute_script (primary_file=0xbffff220) at main/main.c:1647
#14 0x403afc2e in apache_php_module_main (r=0x832503c, display_source_mode=0)
    at sapi/apache/sapi_apache.c:54
#15 0x403b0629 in send_php (r=0x832503c, display_source_mode=0, filename=0x0)
    at sapi/apache/mod_php5.c:621

 [2004-02-29 13:56 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Mar 31 20:03:38 2023 UTC