php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28215 [PATCH] crash when serialize() twice to same __PHP_Incomplete_Class object
Submitted: 2004-04-29 11:42 UTC Modified: 2004-12-13 00:50 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:2 (66.7%)
From: takanota at alpha dot co dot jp Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4CVS, 5CVS OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: takanota at alpha dot co dot jp
New email:
PHP Version: OS:

 

 [2004-04-29 11:42 UTC] takanota at alpha dot co dot jp
Description:
------------
When serialize() twice to same __PHP_Incomplete_Class object, php will crash on second serialize().

I found this problem on apache and cli sapi on Red Hat Linux 9 (2.4.20-8, not smp).

If memory-limit is enabled, php reports memory-limit error. (try to allocate over 1G bytes!)
If memory-limit is disabled, php crash with segmentation fault.

It seems that serialize() drops __PHP_Incomplete_Class_Name member.


Reproduce code:
---------------
<?php
$object = unserialize('O:9:"testclass":1:{s:5:"value";i:100;}');

var_dump($object);
echo serialize($object), "\n\n";

var_dump($object);
echo serialize($object), "\n\n";


Expected result:
----------------
object(__PHP_Incomplete_Class)(2) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(9) "testclass"
  ["value"]=>
  int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}

object(__PHP_Incomplete_Class)(2) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(9) "testclass"
  ["value"]=>
  int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}



Actual result:
--------------
object(__PHP_Incomplete_Class)(2) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(9) "testclass"
  ["value"]=>
  int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}

object(__PHP_Incomplete_Class)(1) {
  ["value"]=>
  int(100)
}

Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1107768167 bytes) in /home/takanota/php/serialize.php on line 8


If memory-limit is disabled, php will crash with segmentation fault.

 backtrace:
------------
#0  0x4207c1ac in memcpy () from /lib/tls/libc.so.6
#1  0x080afe24 in smart_str_appendl_ex (dest=0xbfffd030, src=0x8159e74 "\204\223\025\b\001", len=1, what=0)
    at php_smart_str.h:84
#2  0x080b0070 in php_var_serialize_class_name (buf=0xbfffd030, struc=0x8159e74)
    at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:430
#3  0x080af926 in php_var_serialize_intern (buf=0xbfffd030, struc=0x8159e74, var_hash=0xbfffd040)
    at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:574
#4  0x080afa94 in php_var_serialize (buf=0xbfffd030, struc=0x8159e74, var_hash=0xbfffd040)
    at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:626
#5  0x080afb36 in zif_serialize (ht=1, return_value=0x81592ec, this_ptr=0x0, return_value_used=1)
    at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:649
#6  0x080febe2 in execute (op_array=0x815f48c) at /home/takanota/local/src/php-4.3.6/Zend/zend_execute.c:1635
#7  0x080eef25 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/takanota/local/src/php-4.3.6/Zend/zend.c:886
#8  0x080bf8aa in php_execute_script (primary_file=0xbffff660) at /home/takanota/local/src/php-4.3.6/main/main.c:1731
#9  0x081048c9 in main (argc=2, argv=0xbffff6f4) at /home/takanota/local/src/php-4.3.6/sapi/cli/php_cli.c:822
#10 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-30 23:23 UTC] schulz at schwaar dot com
This patch fixes the bug for me. Tested on linux with 
php-4.3.7. The second changed line of the diff should 
probably be turned into something like:
"if (class_name) free_class_name = 1; else 
emit_a_warning(WITH_A_PROPER_TEXT);"

--- php_incomplete_class.h.orig	2004-06-30 
22:40:12.000000000 +0200
+++ php_incomplete_class.h	2004-06-30 23:00:01.000000000 
+0200
@@ -29,8 +29,8 @@
 #define PHP_SET_CLASS_ATTRIBUTES(struc) 								\
 	/* OBJECTS_FIXME: Fix for new object model */						\
 	if (Z_OBJCE_P(struc) == BG(incomplete_class)) {						\
-		class_name = php_lookup_class_name(struc, &name_len, 1 
TSRMLS_CC);		\
-		free_class_name = 1;											\
+		class_name = php_lookup_class_name(struc, &name_len, 0 
TSRMLS_CC);		\
+		if (class_name) free_class_name = 1;											\
 	} else {															\
 		class_name = Z_OBJCE_P(struc)->name;							\
 		name_len   = Z_OBJCE_P(struc)->name_length;						\
 [2004-07-11 21:50 UTC] sniper@php.net
Didn't try the patch though..

 [2004-12-13 00:50 UTC] sniper@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Aug 07 21:01:25 2020 UTC