php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27287 wddx segfault when deserializing "object string"
Submitted: 2004-02-17 03:37 UTC Modified: 2010-12-20 11:43 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:1 (33.3%)
From: clemens at gutweiler dot net Assigned: jani (profile)
Status: Closed Package: WDDX related
PHP Version: 5CVS-2004-02-16 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: clemens at gutweiler dot net
New email:
PHP Version: OS:

 

 [2004-02-17 03:37 UTC] clemens at gutweiler dot net
Description:
------------
wddx_deserialize crashs when deserializing an serialized object.

Configure Command =>  './configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-xsl' '--enable-wddx' '--enable-soap' '--with-tidy' '--enable-sockets'

Reproduce code:
---------------
<?php
	
	class foo {
	}
	$foo = new foo( );
	$foo->abc = 'def';
	
	$string = wddx_serialize_value( $foo );
	var_dump( $string );
	
	// segfault:
	var_dump( wddx_deserialize( $string ) );
	
?>

Expected result:
----------------
var_dump of the $foo object.

Actual result:
--------------
(gdb) run segfault.php
Starting program: /usr/local/bin/php segfault.php
[New Thread 16384 (LWP 3990)]
string(173) "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>foo</string></var><var name='abc'><string>def</string></var></struct></data></wddxPacket>"

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 3990)]
0x081a6329 in zend_hash_find (ht=0x82ac658, arKey=0x403cc9dc "__wakeup", nKeyLength=9, pData=0x0) at /data/php-5.0.0b4/Zend/zend_hash.c:846
846             p = ht->arBuckets[nIndex];
(gdb) bt
#0  0x081a6329 in zend_hash_find (ht=0x82ac658, arKey=0x403cc9dc "__wakeup", nKeyLength=9, pData=0x0) at /data/php-5.0.0b4/Zend/zend_hash.c:846
#1  0x081982a6 in zend_call_function (fci=0xbfffd4d0, fci_cache=0x0) at /data/php-5.0.0b4/Zend/zend_execute_API.c:629
#2  0x08198155 in call_user_function_ex (function_table=0x0, object_pp=0x0, function_name=0x0, retval_ptr_ptr=0x0, param_count=0, params=0x0, no_separation=0,
    symbol_table=0x0) at /data/php-5.0.0b4/Zend/zend_execute_API.c:518
#3  0x08167eac in php_wddx_pop_element (user_data=0xbfffd6c0, name=0x82a9690 "struct") at /data/php-5.0.0b4/ext/wddx/wddx.c:919
#4  0x0816bfff in _end_element_handler (user=0x403cca2c, name=0x82a9640 "struct") at /data/php-5.0.0b4/ext/xml/compat.c:198
#5  0x4018489c in xmlParseStartTag () from /usr/lib/libxml2.so.2
#6  0x40184997 in xmlParseEndTag () from /usr/lib/libxml2.so.2
#7  0x401883c2 in xmlParseExtParsedEnt () from /usr/lib/libxml2.so.2
#8  0x401887bf in xmlParseChunk () from /usr/lib/libxml2.so.2
#9  0x0816c525 in php_XML_Parse (parser=0x0,
    data=0x403ccb14 "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>foo</string></var><var name='abc'><string>def</string></var></struct></data></wddxPacket>", data_len=173, is_final=1) at /data/php-5.0.0b4/ext/xml/compat.c:501
#10 0x081682a7 in php_wddx_deserialize_ex (
    value=0x403ccb14 "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>foo</string></var><var name='abc'><string>def</string></var></struct></data></wddxPacket>", vallen=173, return_value=0x403cc95c) at /data/php-5.0.0b4/ext/wddx/wddx.c:1104
#11 0x08168b0d in zif_wddx_deserialize (ht=1, return_value=0x403cc95c, this_ptr=0x0, return_value_used=0) at /data/php-5.0.0b4/ext/wddx/wddx.c:1325
#12 0x081bd923 in zend_do_fcall_common_helper (execute_data=0xbfffd950, opline=0x403d7784, op_array=0x403cc334) at /data/php-5.0.0b4/Zend/zend_execute.c:2642
#13 0x081bda9a in zend_do_fcall_handler (execute_data=0xbfffd950, opline=0x403d7784, op_array=0x403cc334) at /data/php-5.0.0b4/Zend/zend_execute.c:2771
#14 0x081ba573 in execute (op_array=0x403cc334) at /data/php-5.0.0b4/Zend/zend_execute.c:1339
#15 0x081a0a09 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /data/php-5.0.0b4/Zend/zend.c:1052
#16 0x08171683 in php_execute_script (primary_file=0xbffffd30) at /data/php-5.0.0b4/main/main.c:1647
#17 0x081c4a5c in main (argc=2, argv=0xbffffdb4) at /data/php-5.0.0b4/sapi/cli/php_cli.c:941
(gdb) frame 14
#14 0x081ba573 in execute (op_array=0x403cc334) at /data/php-5.0.0b4/Zend/zend_execute.c:1339
1339                    if (EX(opline)->handler(&execute_data, EX(opline), op_array TSRMLS_CC)) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x81e56e5 "wddx_deserialize"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x403cc404 "/web/segfault.php"
(gdb)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-21 11:26 UTC] mneugebauer at omaha dot com
I've also encountered this bug in PHP 5 beta 4 under Mac 
OS 10.3 (Panther).
 [2004-02-23 10:22 UTC] bugs dot php dot net at baach dot de
Reproducable also in 5.0.0.4b on Linux (cli and apache2)
 [2004-02-29 13:53 UTC] moriyoshi@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2010-12-20 11:43 UTC] jani@php.net
-Package: Tidy +Package: WDDX related -Assigned To: +Assigned To: jani
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 08:01:28 2024 UTC