php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63369 (un)serialize() leaves dangling pointers, causes crashes
Submitted: 2012-10-26 12:23 UTC Modified: 2012-10-26 12:44 UTC
From: tony2001@php.net Assigned: tony2001 (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4Git-2012-10-26 (Git) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tony2001@php.net
New email:
PHP Version: OS:

 

 [2012-10-26 12:23 UTC] tony2001@php.net
Description:
------------
When a fatal error happens in a __sleep/__wakeup function, BG(serialize) and 
BG(unserialize) contents is left intact and the next request will get those pointers 
again, even though at that moment they are already freed by Zend memory manager 
during request shutdown.
If you're lucky, there is a chance you'll reuse them, which causes immediate crash.
The attached scripts demonstrates the problem with serialize() and I'm kinda lazy to 
do the same for unserialize(), especially taking into account that the patch is 
extremely simple.

Test script:
---------------
class bar1 {
	function __sleep() {
		foo();
	}
}

class foo1 {
	function __sleep() {
		var_dump(serialize(array("test", "1", 234)));
		var_dump(serialize(new bar1));
	}
}

$o = new foo1;

var_dump(unserialize('O:8:"stdclass":0:{}')); //to clear BG(serialize_lock)
var_dump(serialize($o));

Expected result:
----------------
.

Actual result:
--------------
.

Patches

the-patch (last revision 2012-10-26 12:24 UTC by tony2001@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-26 12:24 UTC] tony2001@php.net
The following patch has been added/updated:

Patch Name: the-patch
Revision:   1351254242
URL:        https://bugs.php.net/patch-display.php?bug=63369&patch=the-patch&revision=1351254242
 [2012-10-26 12:43 UTC] tony2001@php.net
-Status: Open +Status: Closed
 [2012-10-26 12:43 UTC] tony2001@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f2bffdc2e48174e38a059d425953e8b1c08dd4bf
Log: fix bug #63369
 [2012-10-26 12:43 UTC] tony2001@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=01dee2c4b009d052f0fdfa07f35c181a1ac4aca0
Log: fix bug #63369
 [2012-10-26 12:44 UTC] tony2001@php.net
Merged patches f2bffdc and 01dee2c.
 [2012-10-26 12:44 UTC] tony2001@php.net
-Assigned To: +Assigned To: tony2001
 [2012-10-26 16:49 UTC] dmitry@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f2bffdc2e48174e38a059d425953e8b1c08dd4bf
Log: fix bug #63369
 [2013-11-17 09:32 UTC] laruence@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=01dee2c4b009d052f0fdfa07f35c181a1ac4aca0
Log: fix bug #63369
 [2014-10-07 23:21 UTC] stas@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=f2bffdc2e48174e38a059d425953e8b1c08dd4bf
Log: fix bug #63369
 [2014-10-07 23:32 UTC] stas@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=f2bffdc2e48174e38a059d425953e8b1c08dd4bf
Log: fix bug #63369
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Sep 16 06:01:27 2019 UTC