php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53437 Crash when using unserialized DatePeriod instance
Submitted: 2010-12-01 17:15 UTC Modified: 2013-03-04 12:43 UTC
From: from dot php dot net at brainbox dot cz Assigned: derick (profile)
Status: Closed Package: Date/time related
PHP Version: 5.3.3 OS: Windows XP SP3
Private report: No CVE-ID: None
View Developer Edit
 [2010-12-01 17:15 UTC] from dot php dot net at brainbox dot cz 
Description:
------------
DatePeriod class does not have the serialization/unserialization logic implemented. Therefore, when unserialized instance is used, script crashes.

This is result of serializing the DatePeriod instance:
O:10:"DatePeriod":0:{}

unserialize() wents fine as well, but when I call foreach() on unserialized instance, the script crashes.

Test script:
---------------
$dp = new DatePeriod(new DateTime('2010-01-01 UTC'), new DateInterval('P1D'), 2);

echo "Original:\r\n";
foreach($dp as $dt) {
	echo $dt->format('Y-m-d H:i:s')."\r\n";
}
echo "\r\n";

$ser = serialize($dp); // $ser is: O:10:"DatePeriod":0:{}

// Create dangerous instance
$dpu = unserialize($ser); // $dpu has invalid values…

echo "Unserialized:\r\n";
// …which leads to CRASH:
foreach($dpu as $dt) {
	echo $dt->format('Y-m-d H:i:s')."\r\n";
}

Expected result:
----------------
Original:
2010-01-01 00:00:00
2010-01-02 00:00:00
2010-01-03 00:00:00

Unserialized:
2010-01-01 00:00:00
2010-01-02 00:00:00
2010-01-03 00:00:00


Actual result:
--------------
PHP crashes on the "unserialize" line.

Patches

date_patch_var4.patch (last revision 2013-03-14 15:21 UTC by ab@php.net)
date_patch_var3.patch (last revision 2013-03-13 08:53 UTC by ab@php.net)
glopes_date_5.3.patch (last revision 2013-03-06 18:50 UTC by ab@php.net)
glopes_date_5.4.patch (last revision 2013-03-05 11:20 UTC by ab@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-01 17:24 UTC] cataphract@php.net
-Status: Open +Status: Verified
 [2010-12-01 17:41 UTC] cataphract@php.net
-Status: Verified +Status: Assigned -Assigned To: +Assigned To: cataphract
 [2010-12-01 21:50 UTC] felipe@php.net 
Duplicated of #52113
 [2011-01-09 06:00 UTC] cataphract@php.net
-Assigned To: cataphract +Assigned To: derick
 [2011-01-09 06:00 UTC] cataphract@php.net 
Reassigning to Derick, as the patch I've written is under his consideration.
 [2011-12-06 06:07 UTC] derick@php.net 
Automatic comment from SVN on behalf of derick
Revision: http://svn.php.net/viewvc/?view=revision&revision=320479
Log: - Added a test case for #53437.
 [2011-12-21 15:10 UTC] tony2001@php.net 
<@Cataphrac> (the Date(Period|Interval) serialization patch is here btw: http://nebm.ist.utl.pt/~glopes/misc/date_period_interval_ser.diff )
 [2013-03-04 12:43 UTC] ab@php.net 
Here's the corresponding BT on windows,

 php5.dll!timelib_time_clone(timelib_time * orig) Line 52C
 php5.dll!date_period_it_rewind(_zend_object_iterator * iter) Line 1910C
 php5.dll!ZEND_FE_RESET_SPEC_CV_HANDLER(_zend_execute_data * execute_data) Line 22777C
 php5.dll!execute(_zend_op_array * op_array) Line 107C
 php5.dll!zend_execute_scripts(int type, _zval_struct * * retval, int file_count, ...) Line 1259C
 php5.dll!php_execute_script(_zend_file_handle * primary_file) Line 2316C
 php.exe!00b3246e()Unknown
 [Frames below may be incorrect and/or missing, no symbols loaded for php.exe]
 ntdll.dll!_RtlpHeapFindListLookupEntry@20()Unknown
 ntdll.dll!_RtlpFindEntry@8()Unknown
 024d2608()Unknown
 msvcr90.dll!__getptd_noexit()Unknown
 msvcr90.dll!__getptd()Unknown
 msvcr90.dll!_LocaleUpdate::_LocaleUpdate(struct localeinfo_struct *)Unknown
 msvcr90.dll!__ismbcalpha()Unknown
 msvcr90.dll!__ismbblead()Unknown
 msvcr90.dll!__lock()Unknown
 msvcr90.dll!__setargv()Unknown
 msvcr90.dll!___getmainargs()Unknown
 php.exe!00b32ca6()Unknown
 php.exe!00b32dca()Unknown
 kernel32.dll!@BaseThreadInitThunk@12()Unknown
 ntdll.dll!___RtlUserThreadStart@8()Unknown
 ntdll.dll!__RtlUserThreadStart@8()Unknown
 [2013-03-05 11:19 UTC] ab@php.net 
The following patch has been added/updated:

Patch Name: glopes_date_5.3.patch
Revision:   1362482379
URL:        https://bugs.php.net/patch-display.php?bug=53437&patch=glopes_date_5.3.patch&revision=1362482379
 [2013-03-05 11:20 UTC] ab@php.net 
The following patch has been added/updated:

Patch Name: glopes_date_5.4.patch
Revision:   1362482416
URL:        https://bugs.php.net/patch-display.php?bug=53437&patch=glopes_date_5.4.patch&revision=1362482416
 [2013-03-06 18:50 UTC] ab@php.net 
The following patch has been added/updated:

Patch Name: glopes_date_5.3.patch
Revision:   1362595811
URL:        https://bugs.php.net/patch-display.php?bug=53437&patch=glopes_date_5.3.patch&revision=1362595811
 [2013-03-13 08:53 UTC] ab@php.net 
The following patch has been added/updated:

Patch Name: date_patch_var3.patch
Revision:   1363164825
URL:        https://bugs.php.net/patch-display.php?bug=53437&patch=date_patch_var3.patch&revision=1363164825
 [2013-03-14 15:21 UTC] ab@php.net 
The following patch has been added/updated:

Patch Name: date_patch_var4.patch
Revision:   1363274506
URL:        https://bugs.php.net/patch-display.php?bug=53437&patch=date_patch_var4.patch&revision=1363274506
 [2013-03-15 08:15 UTC] ab@php.net 
Related To: Bug #62852
 [2013-03-15 16:02 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0ee71557ffd285552659b6aa37ea236e3bad493f
Log: Fixed bug #53437 Crash with unserialized DatePeriod instance
 [2013-03-15 16:02 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2013-08-30 05:59 UTC] remi@php.net 
Related To: Bug #65564
 [2013-08-30 05:59 UTC] remi@php.net 
Related To: Bug #65564
 [2013-08-30 05:59 UTC] remi@php.net 
Related To: Bug #65564
 [2013-08-30 05:59 UTC] remi@php.net 
Related To: Bug #65564
 [2013-11-17 09:31 UTC] laruence@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0ee71557ffd285552659b6aa37ea236e3bad493f
Log: Fixed bug #53437 Crash with unserialized DatePeriod instance
 [2014-06-29 14:44 UTC] info at vdespa dot de 
Related To: Bug #65672
 [2014-07-16 22:40 UTC] nate at frickenate dot com 
The fix here was to break backwards compatibility with existing classes that extend DatePeriod? It's difficult to believe that DateTime can be extended with additional properties, but that DatePeriod cannot.

http://stackoverflow.com/questions/24476185/writing-to-dateperiod-properties-is-unsupported
 [2015-10-17 14:14 UTC] bugs at tmarques dot com 
Related To: Bug #69693
 [2018-02-17 21:47 UTC] php at duncanc dot co dot uk 
Related To: Bug #65672
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Nov 01 20:00:02 2025 UTC