php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31169 unserialize is broken
Submitted: 2004-12-18 03:06 UTC Modified: 2004-12-29 18:33 UTC
From: michael at digitalgnosis dot com Assigned:
Status: Closed Package: Strings related
PHP Version: 5.0.3 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: michael at digitalgnosis dot com
New email:
PHP Version: OS:

 

 [2004-12-18 03:06 UTC] michael at digitalgnosis dot com
Description:
------------
unserialize() call which works under 4.3.0 and 5.0.2-1 is now broken under 5.0.3-1 (script hangs until max execution time).  I'm using the dotdeb.org package so they might be responsible, however the changelog for 5.0.3 mentions the following update:

"Fixed potential problems with unserializing invalid serialize data. (Marcus)"

The data being unserialized is about 6.4MB.

Reproduce code:
---------------
unserialize(file_get_contents('sixmegfile.dat'));


Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-18 11:13 UTC] michael at digitalgnosis dot com
Tested 5.0.x and 5.1.x snapshots; broken there too. Code runs unchanged in 4.3.0.
 [2004-12-23 06:33 UTC] michael at digitalgnosis dot com
Something in Marcus' changes to unserialize() between versions 5.0.2 and 5.0.3 broke it.  The 'code sample' is simply: unserialize($data) where $data is a 6.4MB serialized array.  I can't provide the contents of $data but it's evident that unserialize() never returns.  PHP does not seg fault.
 [2004-12-23 22:33 UTC] helly@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try avoid embedding huge scripts into the report.
 [2004-12-23 22:34 UTC] helly@php.net
Unless you cannot provide a failing correct input string i see this bug as closed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Sep 10 04:01:27 2024 UTC