php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28215 [PATCH] crash when serialize() twice to same __PHP_Incomplete_Class object
Submitted: 2004-04-29 11:42 UTC Modified: 2004-12-13 00:50 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:2 (66.7%)
From: takanota at alpha dot co dot jp Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4CVS, 5CVS OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: takanota at alpha dot co dot jp
New email:
PHP Version: OS:

 

 [2004-04-29 11:42 UTC] takanota at alpha dot co dot jp
Description:
------------
When serialize() twice to same __PHP_Incomplete_Class object, php will crash on second serialize().

I found this problem on apache and cli sapi on Red Hat Linux 9 (2.4.20-8, not smp).

If memory-limit is enabled, php reports memory-limit error. (try to allocate over 1G bytes!)
If memory-limit is disabled, php crash with segmentation fault.

It seems that serialize() drops __PHP_Incomplete_Class_Name member.


Reproduce code:
---------------
<?php
$object = unserialize('O:9:"testclass":1:{s:5:"value";i:100;}');

var_dump($object);
echo serialize($object), "\n\n";

var_dump($object);
echo serialize($object), "\n\n";


Expected result:
----------------
object(__PHP_Incomplete_Class)(2) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(9) "testclass"
  ["value"]=>
  int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}

object(__PHP_Incomplete_Class)(2) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(9) "testclass"
  ["value"]=>
  int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}



Actual result:
--------------
object(__PHP_Incomplete_Class)(2) {
  ["__PHP_Incomplete_Class_Name"]=>
  string(9) "testclass"
  ["value"]=>
  int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}

object(__PHP_Incomplete_Class)(1) {
  ["value"]=>
  int(100)
}

Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1107768167 bytes) in /home/takanota/php/serialize.php on line 8


If memory-limit is disabled, php will crash with segmentation fault.

 backtrace:
------------
#0  0x4207c1ac in memcpy () from /lib/tls/libc.so.6
#1  0x080afe24 in smart_str_appendl_ex (dest=0xbfffd030, src=0x8159e74 "\204\223\025\b\001", len=1, what=0)
    at php_smart_str.h:84
#2  0x080b0070 in php_var_serialize_class_name (buf=0xbfffd030, struc=0x8159e74)
    at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:430
#3  0x080af926 in php_var_serialize_intern (buf=0xbfffd030, struc=0x8159e74, var_hash=0xbfffd040)
    at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:574
#4  0x080afa94 in php_var_serialize (buf=0xbfffd030, struc=0x8159e74, var_hash=0xbfffd040)
    at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:626
#5  0x080afb36 in zif_serialize (ht=1, return_value=0x81592ec, this_ptr=0x0, return_value_used=1)
    at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:649
#6  0x080febe2 in execute (op_array=0x815f48c) at /home/takanota/local/src/php-4.3.6/Zend/zend_execute.c:1635
#7  0x080eef25 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/takanota/local/src/php-4.3.6/Zend/zend.c:886
#8  0x080bf8aa in php_execute_script (primary_file=0xbffff660) at /home/takanota/local/src/php-4.3.6/main/main.c:1731
#9  0x081048c9 in main (argc=2, argv=0xbffff6f4) at /home/takanota/local/src/php-4.3.6/sapi/cli/php_cli.c:822
#10 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-30 23:23 UTC] schulz at schwaar dot com
This patch fixes the bug for me. Tested on linux with 
php-4.3.7. The second changed line of the diff should 
probably be turned into something like:
"if (class_name) free_class_name = 1; else 
emit_a_warning(WITH_A_PROPER_TEXT);"

--- php_incomplete_class.h.orig	2004-06-30 
22:40:12.000000000 +0200
+++ php_incomplete_class.h	2004-06-30 23:00:01.000000000 
+0200
@@ -29,8 +29,8 @@
 #define PHP_SET_CLASS_ATTRIBUTES(struc) 								\
 	/* OBJECTS_FIXME: Fix for new object model */						\
 	if (Z_OBJCE_P(struc) == BG(incomplete_class)) {						\
-		class_name = php_lookup_class_name(struc, &name_len, 1 
TSRMLS_CC);		\
-		free_class_name = 1;											\
+		class_name = php_lookup_class_name(struc, &name_len, 0 
TSRMLS_CC);		\
+		if (class_name) free_class_name = 1;											\
 	} else {															\
 		class_name = Z_OBJCE_P(struc)->name;							\
 		name_len   = Z_OBJCE_P(struc)->name_length;						\
 [2004-07-11 21:50 UTC] sniper@php.net
Didn't try the patch though..

 [2004-12-13 00:50 UTC] sniper@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jul 02 14:01:36 2025 UTC