php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35410 Strange behavior of function "wddx_deserialize"
Submitted: 2005-11-26 17:11 UTC Modified: 2005-11-30 19:13 UTC
From: thomas dot werner at mac dot com Assigned: iliaa
Status: Closed Package: WDDX related
PHP Version: 5CVS, 4CVS (2005-11-30) (cvs) OS: *
Private report: No CVE-ID:
 [2005-11-26 17:11 UTC] thomas dot werner at mac dot com
Description:
------------
I have a wddx file:
*******************

<wddxpacket version="1.0">
  <header>
    <comment>Content Configuration File</comment>
  </header>
  <data>
    <struct>
      <var name="content_queries">
        <struct>
          <var name="content_113300831086270200">
            <struct>
              <var name="113301888545229100">
                <struct>
                  <var name="max">
                    <number>10</number>
                  </var>
                  <var name="cache">
                    <number>4</number>
                  </var>
                  <var name="order">
                    <struct>
                      <var 
name="content_113300831086270200">
                        <struct>
                          <var name="CMS_BUILD">
                            <string>desc</string>
                          </var>
                        </struct>
                      </var>
                    </struct>
                  </var>
                </struct>
              </var>
            </struct>
          </var>
        </struct>
      </var>
    </struct>
  </data>
</wddxpacket>

and load it with the function "wddx_deserialize" in $config. 
var_dump outputs different arrays in php-4.4.0 and 
php-4.4.1.

["113301888545229100"] (4.4.0) and [2147483647] (4.4.1) are 
not the same (string vs. int).

i used exact the same configuration for compiling and 
checked it with debian sarge on linux and macosx too.

cheers tom

Reproduce code:
---------------
[...]

if ( !( $filepointer = @fopen( $filename, 'r' ) ) ) {
	return false;
}
while ( !feof( $filepointer) ) {
	$data .= fgets( $filepointer, 4096 );
}
fclose( $filepointer );

if ( $data ) {	

	$config = wddx_deserialize( $data );
	
[...]

Expected result:
----------------
[...]
  ["content_queries"]=>
  array(1) {
    ["content_113300831086270200"]=>
    array(1) {
      ["113301888545229100"]=>
      array(3) {
        ["max"]=>
        int(10)
        ["cache"]=>
        int(4)
        ["order"]=>
        array(1) {
          ["content_113300831086270200"]=>
          array(1) {
            ["CMS_BUILD"]=>
            string(4) "desc"
          }
        }
      }
    }
  }
[...]

Actual result:
--------------
[...]
  ["content_queries"]=>
  array(1) {
    ["content_113300831086270200"]=>
    array(1) {
      [2147483647]=> 
[...]

2147483647 is not right...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-26 18:11 UTC] mj@php.net
PHP 5.1.0 on Linux compiled with ./configure --enable-wddx gives me the following results that are again different from the 4.4.1 and 4.4.0 results:

array(1) {
  ["content_queries"]=>
  array(1) {
    ["content_113300831086270200"]=>
    array(1) {
      [-2147483648]=>
      array(3) {
        ["max"]=>
        int(10)
        ["cache"]=>
        int(4)
        ["order"]=>
        array(1) {
          ["content_113300831086270200"]=>
          array(1) {
            ["CMS_BUILD"]=>
            string(4) "desc"
          }
        }
      }
    }
  }
}

 [2005-11-26 18:32 UTC] thomas dot werner at mac dot com
PHP 5.0.4/5.0.5 on mac and 5.0.5 on linux outputs the same 
like 4.4.0. I guess, this behavior beguns with the "fast" 
fixes of PHP file-upload/$GLOBALS overwrite vulnerability, but 
i'm not shure, or another fix introduced in 4.4.1. maybe the 
xml-parser thinks, oh its a number, not a string and convert 
it to integer, but its out of range... i know only, my php-app 
worked over years :o)
 [2005-11-26 18:55 UTC] mj@php.net
I looked into this a bit deeper and it appears that the behaviour changed when fixing #34068.  The patch can be seen at http://cvs.php.net/diff.php/php-src/ext/wddx/wddx.c?ws=0&r1=1.119&r2=1.120&ty=u.
 [2005-11-28 09:03 UTC] thomas dot werner at mac dot com
what does it mean? a bug or a new "feature"? feature because 
you wrote "the behaviour changed" ...
 [2005-11-30 17:04 UTC] sniper@php.net
Assigned to the one who broke it. :)
 [2005-11-30 19:13 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 02:02:11 2014 UTC