PHP :: Bug #48678 :: DateInterval segfaults when unserialising

Bug #48678	DateInterval segfaults when unserialising
Submitted:	2009-06-24 18:17 UTC	Modified:	2009-06-25 15:10 UTC
From:	felipe@php.net	Assigned:	iliaa (profile)
Status:	Closed	Package:	Date/time related
PHP Version:	5.3CVS-2009-06-24 (CVS)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2009-06-24 18:17 UTC] felipe@php.net

Description:
------------
See below:

Reproduce code:
---------------
$x = new dateinterval("P3Y6M4DT12H30M5S");
unserialize(serialize($x));

Expected result:
----------------
No SIGSEGV.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7b786c0 (LWP 29877)]
0x0806919f in date_object_get_properties_interval (object=0x8f35344, tsrm_ls=0x8df3050) at /home/felipe/dev/php5/ext/date/php_date.c:2221
2221		PHP_DATE_INTERVAL_ADD_PROPERTY("y", y);
(gdb) bt
#0  0x0806919f in date_object_get_properties_interval (object=0x8f35344, tsrm_ls=0x8df3050) at /home/felipe/dev/php5/ext/date/php_date.c:2221
#1  0x0834d127 in object_common2 (rval=0xbf906a94, p=0xbf906a78, max=0x8f35156 "", var_hash=0xbf906a70, tsrm_ls=0x8df3050, elements=8)
    at ext/standard/var_unserializer.re:369
#2  0x0834b4fe in php_var_unserialize (rval=0xbf906a94, p=0xbf906a78, max=0x8f35156 "", var_hash=0xbf906a70, tsrm_ls=0x8df3050)
    at ext/standard/var_unserializer.re:713
#3  0x08339617 in zif_unserialize (ht=1, return_value=0x8f35344, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x8df3050)
    at /home/felipe/dev/php5/ext/standard/var.c:868
#4  0x08436a24 in zend_do_fcall_common_helper_SPEC (execute_data=0x8f62a94, tsrm_ls=0x8df3050) at /home/felipe/dev/php5/Zend/zend_vm_execute.h:313
#5  0x0843cb8b in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x8f62a94, tsrm_ls=0x8df3050) at /home/felipe/dev/php5/Zend/zend_vm_execute.h:1601
#6  0x084357eb in execute (op_array=0x8f33fc8, tsrm_ls=0x8df3050) at /home/felipe/dev/php5/Zend/zend_vm_execute.h:104
#7  0x083f4ef4 in zend_eval_stringl (str=0xbf9087d3 "$x = new dateinterval(\"P3Y6M4DT12H30M5S\"); unserialize(serialize($x));", str_len=70, retval_ptr=0x0, 
    string_name=0x87a08b4 "Command line code", tsrm_ls=0x8df3050) at /home/felipe/dev/php5/Zend/zend_execute_API.c:1159
#8  0x083f517b in zend_eval_stringl_ex (str=0xbf9087d3 "$x = new dateinterval(\"P3Y6M4DT12H30M5S\"); unserialize(serialize($x));", str_len=70, 
    retval_ptr=0x0, string_name=0x87a08b4 "Command line code", handle_exceptions=1, tsrm_ls=0x8df3050) at /home/felipe/dev/php5/Zend/zend_execute_API.c:1200
#9  0x083f522f in zend_eval_string_ex (str=0xbf9087d3 "$x = new dateinterval(\"P3Y6M4DT12H30M5S\"); unserialize(serialize($x));", retval_ptr=0x0, 
    string_name=0x87a08b4 "Command line code", handle_exceptions=1, tsrm_ls=0x8df3050) at /home/felipe/dev/php5/Zend/zend_execute_API.c:1211
#10 0x084e6ca2 in main (argc=3, argv=0xbf906f84) at /home/felipe/dev/php5/sapi/cli/php_cli.c:1227

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-06-25 15:10 UTC] johannes@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2011-12-06 06:00 UTC] derick@php.net

Automatic comment from SVN on behalf of derick
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=320477
Log: - Cosmetics for test case for #48678.

[2013-08-30 05:59 UTC] remi@php.net

Related To: Bug #65564

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC