php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27287 wddx segfault when deserializing "object string"
Submitted: 2004-02-17 03:37 UTC Modified: 2010-12-20 11:43 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:1 (33.3%)
From: clemens at gutweiler dot net Assigned: jani
Status: Closed Package: WDDX related
PHP Version: 5CVS-2004-02-16 OS: *
Private report: No CVE-ID:
 [2004-02-17 03:37 UTC] clemens at gutweiler dot net
Description:
------------
wddx_deserialize crashs when deserializing an serialized object.

Configure Command =>  './configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-xsl' '--enable-wddx' '--enable-soap' '--with-tidy' '--enable-sockets'

Reproduce code:
---------------
<?php
	
	class foo {
	}
	$foo = new foo( );
	$foo->abc = 'def';
	
	$string = wddx_serialize_value( $foo );
	var_dump( $string );
	
	// segfault:
	var_dump( wddx_deserialize( $string ) );
	
?>

Expected result:
----------------
var_dump of the $foo object.

Actual result:
--------------
(gdb) run segfault.php
Starting program: /usr/local/bin/php segfault.php
[New Thread 16384 (LWP 3990)]
string(173) "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>foo</string></var><var name='abc'><string>def</string></var></struct></data></wddxPacket>"

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 3990)]
0x081a6329 in zend_hash_find (ht=0x82ac658, arKey=0x403cc9dc "__wakeup", nKeyLength=9, pData=0x0) at /data/php-5.0.0b4/Zend/zend_hash.c:846
846             p = ht->arBuckets[nIndex];
(gdb) bt
#0  0x081a6329 in zend_hash_find (ht=0x82ac658, arKey=0x403cc9dc "__wakeup", nKeyLength=9, pData=0x0) at /data/php-5.0.0b4/Zend/zend_hash.c:846
#1  0x081982a6 in zend_call_function (fci=0xbfffd4d0, fci_cache=0x0) at /data/php-5.0.0b4/Zend/zend_execute_API.c:629
#2  0x08198155 in call_user_function_ex (function_table=0x0, object_pp=0x0, function_name=0x0, retval_ptr_ptr=0x0, param_count=0, params=0x0, no_separation=0,
    symbol_table=0x0) at /data/php-5.0.0b4/Zend/zend_execute_API.c:518
#3  0x08167eac in php_wddx_pop_element (user_data=0xbfffd6c0, name=0x82a9690 "struct") at /data/php-5.0.0b4/ext/wddx/wddx.c:919
#4  0x0816bfff in _end_element_handler (user=0x403cca2c, name=0x82a9640 "struct") at /data/php-5.0.0b4/ext/xml/compat.c:198
#5  0x4018489c in xmlParseStartTag () from /usr/lib/libxml2.so.2
#6  0x40184997 in xmlParseEndTag () from /usr/lib/libxml2.so.2
#7  0x401883c2 in xmlParseExtParsedEnt () from /usr/lib/libxml2.so.2
#8  0x401887bf in xmlParseChunk () from /usr/lib/libxml2.so.2
#9  0x0816c525 in php_XML_Parse (parser=0x0,
    data=0x403ccb14 "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>foo</string></var><var name='abc'><string>def</string></var></struct></data></wddxPacket>", data_len=173, is_final=1) at /data/php-5.0.0b4/ext/xml/compat.c:501
#10 0x081682a7 in php_wddx_deserialize_ex (
    value=0x403ccb14 "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>foo</string></var><var name='abc'><string>def</string></var></struct></data></wddxPacket>", vallen=173, return_value=0x403cc95c) at /data/php-5.0.0b4/ext/wddx/wddx.c:1104
#11 0x08168b0d in zif_wddx_deserialize (ht=1, return_value=0x403cc95c, this_ptr=0x0, return_value_used=0) at /data/php-5.0.0b4/ext/wddx/wddx.c:1325
#12 0x081bd923 in zend_do_fcall_common_helper (execute_data=0xbfffd950, opline=0x403d7784, op_array=0x403cc334) at /data/php-5.0.0b4/Zend/zend_execute.c:2642
#13 0x081bda9a in zend_do_fcall_handler (execute_data=0xbfffd950, opline=0x403d7784, op_array=0x403cc334) at /data/php-5.0.0b4/Zend/zend_execute.c:2771
#14 0x081ba573 in execute (op_array=0x403cc334) at /data/php-5.0.0b4/Zend/zend_execute.c:1339
#15 0x081a0a09 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /data/php-5.0.0b4/Zend/zend.c:1052
#16 0x08171683 in php_execute_script (primary_file=0xbffffd30) at /data/php-5.0.0b4/main/main.c:1647
#17 0x081c4a5c in main (argc=2, argv=0xbffffdb4) at /data/php-5.0.0b4/sapi/cli/php_cli.c:941
(gdb) frame 14
#14 0x081ba573 in execute (op_array=0x403cc334) at /data/php-5.0.0b4/Zend/zend_execute.c:1339
1339                    if (EX(opline)->handler(&execute_data, EX(opline), op_array TSRMLS_CC)) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x81e56e5 "wddx_deserialize"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x403cc404 "/web/segfault.php"
(gdb)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-21 11:26 UTC] mneugebauer at omaha dot com
I've also encountered this bug in PHP 5 beta 4 under Mac 
OS 10.3 (Panther).
 [2004-02-23 10:22 UTC] bugs dot php dot net at baach dot de
Reproducable also in 5.0.0.4b on Linux (cli and apache2)
 [2004-02-29 13:53 UTC] moriyoshi@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2010-12-20 11:43 UTC] jani@php.net
-Package: Tidy +Package: WDDX related -Assigned To: +Assigned To: jani
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 13:01:59 2014 UTC