PHP :: Bug #43854 :: Wrong length calculation in serialize S type

Bug #43854

Wrong length calculation in serialize S type

Submitted:

2008-01-15 11:44 UTC

Modified:

2008-01-28 23:37 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

tomasz dot rutkowski at domeny dot pl

Assigned:

Status:

No Feedback

Package:

Arrays related

PHP Version:

5.2.5

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2008-01-15 11:44 UTC] tomasz dot rutkowski at domeny dot pl

Description:
------------
PHP 5.2.5 bad serialize string into multiarray.
This bug is only into PHP 5.2.5 .
PHP 5.2.4 is good.


Reproduce code:
---------------
$bad_serialized_multiarray = 'a:3:{i:0;a:4:{i:0;a:7:{i:0;i:69;i:1;s:30:"Lakier do wzork&#243;w czarny 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"82";}i:1;a:7:{i:0;i:70;i:1;s:43:"Lakier do wzork&#243;w czarny per&#322;owy 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"99";}i:2;a:7:{i:0;i:65;i:1;s:34:"Lakier do wzork&#243;w bia&#322;y 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"85";}i:3;a:7:{i:0;i:75;i:1;s:28:"Lakier utrwalaj&#261;cy 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"92";}}i:1;a:3:{i:0;s:2:"75";i:1;s:28:"Lakier utrwalaj&#261;cy 10ml";i:2;d:12.9900000000000002131628207280300557613372802734375;}i:2;i:13;}';

$fix_serialized_multiarray = 'a:3:{i:0;a:4:{i:0;a:7:{i:0;i:69;i:1;s:34:"Lakier do wzork&#243;w czarny 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"82";}i:1;a:7:{i:0;i:70;i:1;s:47:"Lakier do wzork&#243;w czarny per&#322;owy 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"99";}i:2;a:7:{i:0;i:65;i:1;s:38:"Lakier do wzork&#243;w bia&#322;y 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"85";}i:3;a:7:{i:0;i:75;i:1;s:28:"Lakier utrwalaj&#261;cy 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"92";}}i:1;a:3:{i:0;s:2:"75";i:1;s:28:"Lakier utrwalaj&#261;cy 10ml";i:2;d:12.9900000000000002131628207280300557613372802734375;}i:2;i:13;}';

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-01-15 12:12 UTC] felipe@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2008-01-15 15:24 UTC] tomasz dot rutkowski at domeny dot pl

Sorry but I can't reconstruct this bug.
Admin change PHP verions on my demand.
This is productive server and they can't back to error version.

On similar server this bug is not reported :(
Perhaps it is liberty problem.


Example code:

<?php
/* Error string from DB */
$bad_serialize = 'a:3:{i:0;a:4:{i:0;a:7:{i:0;i:69;i:1;s:30:"Lakier do wzork&#243;w czarny 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"82";}i:1;a:7:{i:0;i:70;i:1;s:43:"Lakier do wzork&#243;w czarny per&#322;owy 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"99";}i:2;a:7:{i:0;i:65;i:1;s:34:"Lakier do wzork&#243;w bia&#322;y 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"85";}i:3;a:7:{i:0;i:75;i:1;s:28:"Lakier utrwalaj&#261;cy 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"92";}}i:1;a:3:{i:0;s:2:"75";i:1;s:28:"Lakier utrwalaj&#261;cy 10ml";i:2;d:12.9900000000000002131628207280300557613372802734375;}i:2;i:13;}';
var_dump( unserialize( $bad_serialize ) );
echo '<br />';

/* Good - fixed by me */
$fix_serialize = 'a:3:{i:0;a:4:{i:0;a:7:{i:0;i:69;i:1;s:34:"Lakier do wzork&#243;w czarny 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"82";}i:1;a:7:{i:0;i:70;i:1;s:47:"Lakier do wzork&#243;w czarny per&#322;owy 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"99";}i:2;a:7:{i:0;i:65;i:1;s:38:"Lakier do wzork&#243;w bia&#322;y 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"85";}i:3;a:7:{i:0;i:75;i:1;s:28:"Lakier utrwalaj&#261;cy 10ml";i:2;d:19.980000000000000426325641456060111522674560546875;i:3;i:1;i:4;d:19.980000000000000426325641456060111522674560546875;i:5;s:0:"";i:6;s:2:"92";}}i:1;a:3:{i:0;s:2:"75";i:1;s:28:"Lakier utrwalaj&#261;cy 10ml";i:2;d:12.9900000000000002131628207280300557613372802734375;}i:2;i:13;}';
var_dump( unserialize( $fix_serialize ) );
echo '<br />';

/* Prepared array */
$prepare_array = array( 
  array( 
    array( 69, (string) "Lakier do wzork&#243;w czarny 10ml", (float) 19.98, 1, (float) 19.98, (string) "", (string) "82" ),
    array( 70, (string) "Lakier do wzork&#243;w czarny per&#322;owy 10ml", (float) 19.98, 1, (float) 19.98, (string) "", (string) "99" ),
    array( 65, "Lakier do wzork&#243;w bia&#322;y 10ml", (float) 19.98, 1, (float) 19.98, (string) "",(string) "85" ),
    array( 75, (string) "Lakier utrwalaj&#261;cy 10ml", (float) 19.98, 1, (float) 19.98, (string) "", (string) "92" )
  ),
  array( (string) "75", (string) "Lakier utrwalaj&#261;cy 10ml", (float) 12.99 ),
  2=> 13
);

$tmp = serialize( $prepare_array );
var_dump( unserialize( $tmp ) );
?>

[2008-01-15 15:32 UTC] tomasz dot rutkowski at domeny dot pl

Sorry

Bad: Perhaps it is liberty problem.
Good: Probably it is a library problem.

[2008-01-15 16:12 UTC] felipe@php.net

The example works fine in PHP5.2.5, 5.2.6, 5.3.

[2008-01-15 17:17 UTC] felipe@php.net

Clarifying... The last code. (Prepared array)

[2008-06-03 17:29 UTC] sweetiepiekiara at yahoo dot com

wats up

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Nov 07 19:00:02 2025 UTC