php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45826 serialize of ArrayObject causes segmentation fault
Submitted: 2008-08-15 00:14 UTC Modified: 2008-08-25 18:41 UTC
From: kevin dot armenat at googlemail dot com Assigned: colder
Status: Closed Package: SPL related
PHP Version: 5.3CVS, 6CVS (2008-08-15) OS: *
Private report: No CVE-ID:
 [2008-08-15 00:14 UTC] kevin dot armenat at googlemail dot com
Description:
------------
Serialize causes a segmentation fault if you try to serialize an object ("A") which contains an object ("B") which references to object "A".

Its still working with PHP 5.2.4, but it crashes with PHP 5.3.0alpha1.

Reproduce code:
---------------
class A {
	private $bList;
	public function __construct() {
		$this->bList = new ArrayObject();
	}
	public function addB(B $b) {
		$this->bList->append($b);
	}
}
class B {
	private $parentA;
	public function __construct(A $parentA) {
		$this->parentA = $parentA;
	}
}

$a = new A();
$b = new B($a);
$a->addB($b);
echo serialize($a);

Expected result:
----------------
The serialized Object of the class "A"

Actual result:
--------------
#0  0xb744b8a8 in _zend_mm_alloc_int (heap=0x81e0db8, size=20) at /home/kevin/php-5.3.0alpha1/Zend/zend_alloc.c:1743
#1  0xb745c821 in zend_call_function (fci=0xbf15f148, fci_cache=0xbf15f16c) at /home/kevin/php-5.3.0alpha1/Zend/zend_execute_API.c:894
#2  0xb747b018 in zend_call_method (object_pp=0xbf15f200, obj_ce=0x824bfc8, fn_proxy=0x824c0dc, function_name=0xb77311f0 "serialize", 
    function_name_len=9, retval_ptr_ptr=0xbf15f1ec, param_count=0, arg1=0x0, arg2=0x0)                                                
    at /home/kevin/php-5.3.0alpha1/Zend/zend_interfaces.c:89                                                                          
#3  0xb747b26d in zend_user_serialize (object=0x82f1164, buffer=0xbf15f28c, buf_len=0xbf15f278, data=0xbf15f570)                      
    at /home/kevin/php-5.3.0alpha1/Zend/zend_interfaces.c:414                                                                         
#4  0xb73dc722 in php_var_serialize_intern (buf=0xbf15f5a8, struc=0x82f1164, var_hash=0xbf15f570)                                     
    at /home/kevin/php-5.3.0alpha1/ext/standard/var.c:694                                                                             
#5  0xb73dc497 in php_var_serialize_intern (buf=0xbf15f5a8, struc=0x82f0f88, var_hash=0xbf15f570)                                     
    at /home/kevin/php-5.3.0alpha1/ext/standard/var.c:795
#6  0xb73dc497 in php_var_serialize_intern (buf=0xbf15f5a8, struc=0x82f1300, var_hash=0xbf15f570)
    at /home/kevin/php-5.3.0alpha1/ext/standard/var.c:795
#7  0xb73dc497 in php_var_serialize_intern (buf=0xbf15f5a8, struc=0x82f128c, var_hash=0xbf15f570)
    at /home/kevin/php-5.3.0alpha1/ext/standard/var.c:795
#8  0xb73de049 in php_var_serialize (buf=0xbf15f5a8, struc=0x82f11e4, var_hash=0xbf15f570)
    at /home/kevin/php-5.3.0alpha1/ext/standard/var.c:814
#9  0xb72f0838 in zim_spl_Array_serialize (ht=0, return_value=0x8568bbc, return_value_ptr=0xbf15f79c, this_ptr=0x82f1164,
    return_value_used=1) at /home/kevin/php-5.3.0alpha1/ext/spl/spl_array.c:1491
#10 0xb745c891 in zend_call_function (fci=0xbf15f6f8, fci_cache=0xbf15f71c) at /home/kevin/php-5.3.0alpha1/Zend/zend_execute_API.c:898
#11 0xb747b018 in zend_call_method (object_pp=0xbf15f7b0, obj_ce=0x824bfc8, fn_proxy=0x824c0dc, function_name=0xb77311f0 "serialize",
    function_name_len=9, retval_ptr_ptr=0xbf15f79c, param_count=0, arg1=0x0, arg2=0x0)
    at /home/kevin/php-5.3.0alpha1/Zend/zend_interfaces.c:89

[...]
endless repeated

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-08-15 00:44 UTC] kevin dot armenat at googlemail dot com
You still need this short code to reproduce the error, its related to the ArrayObject, not to the User defined Classes.

$x = new ArrayObject();
$x->append($x);

serialize($x);
 [2008-08-15 00:49 UTC] jani@php.net
Works fine with 5.2CVS, crash with anything greater.


 [2008-08-25 18:41 UTC] colder@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2010-04-09 21:20 UTC] marcelovt at gmail dot com
Hi, I still have a problem using serialize, works fine in 5.2.

addenum:
I have a objectToJson function that uses serialize, if the object has a arrayObject class within, the error occurs.

Code:
-----------------

$serial = serialize( $object ) ;

  $serial = preg_replace( '/O:\d+:".+?"/' ,'a' , $serial ) ;
  if( preg_match_all( '/s:\d+:"\\0.+?\\0(.+?)"/' , $serial, $ms, PREG_SET_ORDER )) {
    foreach( $ms as $m ) {
      $serial = str_replace( $m[0], 's:'. strlen( $m[1] ) . ':"'.$m[1] . '"', $serial ) ;
      }
    }

  return @unserialize( $serial ) ;
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 22:02:16 2014 UTC