|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34311 unserialize() causes php to segfault
Submitted: 2005-08-30 19:37 UTC Modified: 2005-09-05 18:25 UTC
From: marco at storm dot ee Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5CVS, 4CVS (2005-08-31) OS: *
Private report: No CVE-ID: None
 [2005-08-30 19:37 UTC] marco at storm dot ee
OS: Debian-AMD64, Linux
Configure line: configure --enable-debug --with-zlib

Program terminated with signal 11, Segmentation fault.

#0  0x00000000004ede39 in php_var_unserialize (rval=0x7fffffd4cc90, p=0x7fffffd4cc58,
    max=0x7bb831 "", var_hash=0x7fffffd4cc60)
    at /home/marco/soft/php-4.4.0/ext/standard/var_unserializer.c:428
#1  0x00000000004e5045 in zif_unserialize (ht=1, return_value=0x7b45e0, this_ptr=0x0,
    return_value_used=0) at /home/marco/soft/php-4.4.0/ext/standard/var.c:716
#2  0x0000000000570876 in execute (op_array=0x7b5200)
    at /home/marco/soft/php-4.4.0/Zend/zend_execute.c:1672
#3  0x000000000055aa3d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/marco/soft/php-4.4.0/Zend/zend.c:938
#4  0x000000000051f878 in php_execute_script (primary_file=0x7fffffd4f6b0)
    at /home/marco/soft/php-4.4.0/main/main.c:1751
#5  0x00000000005777a3 in main (argc=2, argv=0x7fffffd4f828)
    at /home/marco/soft/php-4.4.0/sapi/cli/php_cli.c:828

Segfault reproduced with php4-STABLE-200508300648 and php-4.4.0.

Reproduce code:

 $fp = fopen('', 'r');
 $line = fread($fp, 1);


Expected result:
no output

Actual result:
Segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-31 16:41 UTC]
Short reproducing script:

# php -r 'unserialize("?");'

(that's a with ring above it :)

 [2005-09-03 16:01 UTC]
After all this was just a simple typo. I've tracked it down and I've made a patch.

Regenerated file with (re2c -b -o):
 [2005-09-05 18:25 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Oct 04 18:01:26 2023 UTC