php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34311 unserialize() causes php to segfault
Submitted: 2005-08-30 19:37 UTC Modified: 2005-09-05 18:25 UTC
From: marco at storm dot ee Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5CVS, 4CVS (2005-08-31) OS: *
Private report: No CVE-ID: None
 [2005-08-30 19:37 UTC] marco at storm dot ee
Description:
------------
OS: Debian-AMD64, Linux 2.6.12.5
Configure line: configure --enable-debug --with-zlib

gdb:
Program terminated with signal 11, Segmentation fault.

#0  0x00000000004ede39 in php_var_unserialize (rval=0x7fffffd4cc90, p=0x7fffffd4cc58,
    max=0x7bb831 "", var_hash=0x7fffffd4cc60)
    at /home/marco/soft/php-4.4.0/ext/standard/var_unserializer.c:428
#1  0x00000000004e5045 in zif_unserialize (ht=1, return_value=0x7b45e0, this_ptr=0x0,
    return_value_used=0) at /home/marco/soft/php-4.4.0/ext/standard/var.c:716
#2  0x0000000000570876 in execute (op_array=0x7b5200)
    at /home/marco/soft/php-4.4.0/Zend/zend_execute.c:1672
#3  0x000000000055aa3d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/marco/soft/php-4.4.0/Zend/zend.c:938
#4  0x000000000051f878 in php_execute_script (primary_file=0x7fffffd4f6b0)
    at /home/marco/soft/php-4.4.0/main/main.c:1751
#5  0x00000000005777a3 in main (argc=2, argv=0x7fffffd4f828)
    at /home/marco/soft/php-4.4.0/sapi/cli/php_cli.c:828


Segfault reproduced with php4-STABLE-200508300648 and php-4.4.0.

Reproduce code:
---------------
<?php

 $fp = fopen('http://194.204.33.43/test.txt', 'r');
 $line = fread($fp, 1);
 unserialize($line);
 fclose($fp);

?>

Expected result:
----------------
no output

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-31 16:41 UTC] sniper@php.net
Short reproducing script:

# php -r 'unserialize("?");'

(that's a with ring above it :)


 [2005-09-03 16:01 UTC] nlopess@php.net
After all this was just a simple typo. I've tracked it down and I've made a patch.

Patch: http://mega.ist.utl.pt/~ncpl/php_3411_patch.txt
Regenerated file with (re2c -b -o): http://mega.ist.utl.pt/~ncpl/php_var_unserializer.c.txt
 [2005-09-05 18:25 UTC] sniper@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC