php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #31169 unserialize is broken
Submitted: 2004-12-18 03:06 UTC Modified: 2004-12-29 18:33 UTC
From: michael at digitalgnosis dot com Assigned:
Status: Closed Package: Strings related
PHP Version: 5.0.3 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2004-12-18 03:06 UTC] michael at digitalgnosis dot com 
Description:
------------
unserialize() call which works under 4.3.0 and 5.0.2-1 is now broken under 5.0.3-1 (script hangs until max execution time).  I'm using the dotdeb.org package so they might be responsible, however the changelog for 5.0.3 mentions the following update:

"Fixed potential problems with unserializing invalid serialize data. (Marcus)"

The data being unserialized is about 6.4MB.

Reproduce code:
---------------
unserialize(file_get_contents('sixmegfile.dat'));

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-18 11:13 UTC] michael at digitalgnosis dot com 
Tested 5.0.x and 5.1.x snapshots; broken there too. Code runs unchanged in 4.3.0.
 [2004-12-23 06:33 UTC] michael at digitalgnosis dot com 
Something in Marcus' changes to unserialize() between versions 5.0.2 and 5.0.3 broke it.  The 'code sample' is simply: unserialize($data) where $data is a 6.4MB serialized array.  I can't provide the contents of $data but it's evident that unserialize() never returns.  PHP does not seg fault.
 [2004-12-23 22:33 UTC] helly@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try avoid embedding huge scripts into the report.
 [2004-12-23 22:34 UTC] helly@php.net 
Unless you cannot provide a failing correct input string i see this bug as closed.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 06:01:27 2025 UTC