php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34306 wddx_serialize_value() crashes with long array keys
Submitted: 2005-08-30 14:10 UTC Modified: 2005-08-31 16:33 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: dmitrysp at yandex dot ru Assigned:
Status: Closed Package: WDDX related
PHP Version: 5CVS, 4CVS (2005-08-31) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dmitrysp at yandex dot ru
New email:
PHP Version: OS:

 

 [2005-08-30 14:10 UTC] dmitrysp at yandex dot ru
Description:
------------
Apache2 crash. 

Try Apache2 + PHP 5.1.0RC1, 
Apache2 + PHP 5.1.0-dev (built: Aug 30 2005 08:42:21), 
php.exe 4.3.0 console.

szAppName : Apache.exe     szAppVer : 2.0.54.0     szModName : php5ts.dll     
szModVer : 5.1.0.0     offset : 001e144d     

Reproduce code:
---------------
    $str='';
    for ($i=1; $i<255; $i++) $str.=chr($i);
    $mix=array($str=>1);
    $buf=wddx_serialize_value($mix, 'name'); // apache crash here
    echo "ok";



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-31 11:27 UTC] sniper@php.net
Apparently the maximum array key lenght for wddx serializer is 254. It doesn't matter what the content is.

 [2005-08-31 11:28 UTC] sniper@php.net
Correction: The max length is 251.
 [2005-08-31 14:43 UTC] sniper@php.net
(gdb) bt
#0  0x083b98dd in _zend_is_inconsistent (ht=0x0, file=0x869a3f0 "/usr/src/php/php_5_1/Zend/zend_hash.c", line=1022)
    at /usr/src/php/php_5_1/Zend/zend_hash.c:53
#1  0x083bc002 in zend_hash_move_forward_ex (ht=0x0, pos=0x0) at /usr/src/php/php_5_1/Zend/zend_hash.c:1022
#2  0x08355ed5 in php_wddx_serialize_array (packet=0x0, arr=0x0) at /usr/src/php/php_5_1/ext/wddx/wddx.c:589

 [2005-08-31 14:44 UTC] sniper@php.net
Previous frame inner to this frame (corrupt stack?)
 [2005-08-31 16:32 UTC] sniper@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in HEAD and PHP_5_1 branches. Won't fix elsewhere.

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 00:01:28 2024 UTC