|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2004-04-29 11:42 UTC] takanota at alpha dot co dot jp
Description:
------------
When serialize() twice to same __PHP_Incomplete_Class object, php will crash on second serialize().
I found this problem on apache and cli sapi on Red Hat Linux 9 (2.4.20-8, not smp).
If memory-limit is enabled, php reports memory-limit error. (try to allocate over 1G bytes!)
If memory-limit is disabled, php crash with segmentation fault.
It seems that serialize() drops __PHP_Incomplete_Class_Name member.
Reproduce code:
---------------
<?php
$object = unserialize('O:9:"testclass":1:{s:5:"value";i:100;}');
var_dump($object);
echo serialize($object), "\n\n";
var_dump($object);
echo serialize($object), "\n\n";
Expected result:
----------------
object(__PHP_Incomplete_Class)(2) {
["__PHP_Incomplete_Class_Name"]=>
string(9) "testclass"
["value"]=>
int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}
object(__PHP_Incomplete_Class)(2) {
["__PHP_Incomplete_Class_Name"]=>
string(9) "testclass"
["value"]=>
int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}
Actual result:
--------------
object(__PHP_Incomplete_Class)(2) {
["__PHP_Incomplete_Class_Name"]=>
string(9) "testclass"
["value"]=>
int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}
object(__PHP_Incomplete_Class)(1) {
["value"]=>
int(100)
}
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1107768167 bytes) in /home/takanota/php/serialize.php on line 8
If memory-limit is disabled, php will crash with segmentation fault.
backtrace:
------------
#0 0x4207c1ac in memcpy () from /lib/tls/libc.so.6
#1 0x080afe24 in smart_str_appendl_ex (dest=0xbfffd030, src=0x8159e74 "\204\223\025\b\001", len=1, what=0)
at php_smart_str.h:84
#2 0x080b0070 in php_var_serialize_class_name (buf=0xbfffd030, struc=0x8159e74)
at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:430
#3 0x080af926 in php_var_serialize_intern (buf=0xbfffd030, struc=0x8159e74, var_hash=0xbfffd040)
at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:574
#4 0x080afa94 in php_var_serialize (buf=0xbfffd030, struc=0x8159e74, var_hash=0xbfffd040)
at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:626
#5 0x080afb36 in zif_serialize (ht=1, return_value=0x81592ec, this_ptr=0x0, return_value_used=1)
at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:649
#6 0x080febe2 in execute (op_array=0x815f48c) at /home/takanota/local/src/php-4.3.6/Zend/zend_execute.c:1635
#7 0x080eef25 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/takanota/local/src/php-4.3.6/Zend/zend.c:886
#8 0x080bf8aa in php_execute_script (primary_file=0xbffff660) at /home/takanota/local/src/php-4.3.6/main/main.c:1731
#9 0x081048c9 in main (argc=2, argv=0xbffff6f4) at /home/takanota/local/src/php-4.3.6/sapi/cli/php_cli.c:822
#10 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2020 The PHP GroupAll rights reserved. |
Last updated: Wed Feb 26 05:01:26 2020 UTC |
This patch fixes the bug for me. Tested on linux with php-4.3.7. The second changed line of the diff should probably be turned into something like: "if (class_name) free_class_name = 1; else emit_a_warning(WITH_A_PROPER_TEXT);" --- php_incomplete_class.h.orig 2004-06-30 22:40:12.000000000 +0200 +++ php_incomplete_class.h 2004-06-30 23:00:01.000000000 +0200 @@ -29,8 +29,8 @@ #define PHP_SET_CLASS_ATTRIBUTES(struc) \ /* OBJECTS_FIXME: Fix for new object model */ \ if (Z_OBJCE_P(struc) == BG(incomplete_class)) { \ - class_name = php_lookup_class_name(struc, &name_len, 1 TSRMLS_CC); \ - free_class_name = 1; \ + class_name = php_lookup_class_name(struc, &name_len, 0 TSRMLS_CC); \ + if (class_name) free_class_name = 1; \ } else { \ class_name = Z_OBJCE_P(struc)->name; \ name_len = Z_OBJCE_P(struc)->name_length; \