php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35369 Serialized objects referencing each other, memory exhaustion when unserializing
Submitted: 2005-11-24 16:15 UTC Modified: 2005-12-02 01:00 UTC
Votes:5
Avg. Score:4.8 ± 0.4
Reproduced:3 of 4 (75.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: bugreports at insign dot ch Assigned:
Status: No Feedback Package: Class/Object related
PHP Version: 5CVS-2005-11-24 (CVS) OS: Prolly irrelevant (Linux 2.6.4)
Private report: No CVE-ID: None
 [2005-11-24 16:15 UTC] bugreports at insign dot ch
Description:
------------
Objects, referencing each other, are serialized. The reference seems to be represented as R:1 in the serialized data.

When unserializing the string, it seems (begin of guess) that the reference is not interpreted correctly and countless objects are instantiated instead (end of guess) - the script takes remarkably long and ends with the allowed memory size exhausted.

The problem doesn't seem to occur when the unserialized data is simply echoed instead of assigned to a variable, but obviously that's not so useful. The problem still occurs when var_dumping the unserialized data.

The problem exists on PHP 5.1.0RC6, but not on PHP 5.0.5. Unfortunately, we cannot install the CVS version just for checking if the problem still exists. We hope you're still willing to at least quickly verify it.

Reproduce code:
---------------
class A {
  public $b;
}

class B {
  public $a;
}

$a = new A();
$b = new B();
$a->b = &$b;
$b->a = &$a;

$x = unserialize(serialize($a));

Expected result:
----------------
$x is a copy of $a, with $x->b being a copy of $b that holds a reference to $x. print_r'd that would look like this:

A Object
(
    [b] => B Object
        (
            [a] => A Object
 *RECURSION*
        )

)

Actual result:
--------------
Memory exhaustion and sometimes a segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-24 16:20 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2005-12-02 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-09-12 00:46 UTC] linlixiang123 at 126 dot com
A man is driving up a steep, narrow mountain road. <a href="http://www.chihaironline.com">chi hair tools</a> A woman is driving down the same road. As they pass each other, the woman leans out of the window and yells "PIG!!" <a href="http://www.chihaironline.com">chi flat irons</a> The man immediately leans out of his window and replies, "WITCH!!"    They each continue on their way, and as the man rounds the next corner, <a href="http://www.chihaironline.com">chi hair straighteners</a> he crashes into a pig in the middle of the road. If only men would listen.
 [2009-09-25 08:47 UTC] DSHHH at HOTMAIL dot COM
http://www.hotuggsale.co.uk  ugg boots uk
http://www.hotuggsale.co.uk  ugg boots sale
http://www.hotuggsale.co.uk  ugg boots uk sale
 [2010-06-28 09:01 UTC] DAVOGUEMALL at GMAIL dot COM
Due to the poplarity and demand of counterfeit <a href="http://www.superflatiron.com/">chi flat iron</a> are getting more and more popular in the europe and united states.The moreden beauty is the sole distributor of CHI IRONS that are produced in Columbia.Along with the farouk systems,we are not actively and aggressively working to stop the sales of the none csa,counterfeight chi flat iron. These chi flat iron are non compliant with federal safety standards and have no warranty.Though they can be used for several months or even one year,two years,but they are counterfeight products. In China,such <a href="http://www.superflatiron.com/chi-turbo-ceramic-flat-iron-p-191.html">GHD Turbo Ceramic Flat Iron </a>are hot sellers.We meet one store called davoguemall,they even make the chi hairstraightener comes with plug for different countries. As the economy problem,not all people can afford such expensive <strong>CHI FLAT IRON</strong> though they are marked &quot;authentic&quot;. This is the most important reason for the replica chi hair straightener can be sold so well. Now our question is turn to how to choose a good quality replica chi hair straightener,right?
 [2011-08-02 06:10 UTC] junxing dot lin at yahoo dot com
Shop for over 70% off deals on Chi flat iron, chi hair straightener, chi hair tools! Fast Savings & Free worldwide Shipping!
http://www.chihaironline.net|chi flat iron
http://www.chihaironline.net|chi hair straightener
 [2011-08-02 06:11 UTC] junxing dot lin at yahoo dot com
http://www.chihaironline.net
Shop for over 70% off deals on Chi flat iron, chi hair straightener, chi hair tools! Fast Savings & Free worldwide Shipping!
 [2011-09-04 06:46 UTC] junxing dot lin at yahoo dot com
http://www.officialnflshop.co.uk
nfl jerseys
nfl jerseys uk
authentic nfl jerseys
nfl jerseys sale uk
nfl jerseys shop
shop nfl jerseys
nike nfl jerseys
nfl shop uk
nfl shop 2011
NFL Jerseys 2011
2011 nike nfl jerseys
NFL London store
NFL Jerseys online
NFL Jerseys free shipping
NFL shop
NFL store
nfl jerseys official website
nfl jerseys website
 [2012-06-06 03:34 UTC] councilxvb32 at gmail dot com
I love reading and I am always searching for informative information like this! Write more informative news like this, and let's Stop Dreaming Start Action!!
<a href="http://www.pandorajewelrycharm.uk.com">pandora uk</a>
<a href="http://www.mulberryoutletsbag.uk.com">Mulberry outlet</a>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 13:01:29 2024 UTC