php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65591 Segfault when calling parent::serialize in serialize().
Submitted: 2013-08-30 09:03 UTC Modified: 2017-01-01 12:12 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: arjen at react dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 5.5.6 OS: Linux
Private report: No CVE-ID: None
 [2013-08-30 09:03 UTC] arjen at react dot com
Description:
------------
From https://bugs.php.net/bug.php?id=63481&edit=3
Created new issue cause it's different from original bugreport.

See 
https://gist.github.com/aurelijus/4713758

Crashes 5.4.0 - 5.5.3: http://3v4l.org/PBT99

Test script:
---------------
<?php
class Permission implements \Serializable {
    protected $id = 3;
    public function serialize()
    {
        return serialize(array($this->id));
    }
    public function unserialize($serialized)
    {
        list($this->id) = unserialize($serialized);
    }
 
}
 
class UserPermission implements \Serializable {
    public $permission;
    public $webshop;
 
    public function serialize()
    {
        return serialize(array($this->webshop, $this->permission));
    }
    public function unserialize($serialized)
    {
        list($this->webshop, $this->permission) = unserialize($serialized);
    }
}
 
class Webshop  implements \Serializable {
    protected $id = 13;
    public function serialize()
    {
        return serialize(array($this->id));
    }
    public function unserialize($serialized)
    {
        list($this->id) = unserialize($serialized);
    }
 
}
 
class AbstractToken  implements \Serializable {
    public $roles;
 
    public function serialize()
    {
        return serialize(array($this->roles));
    }
    public function unserialize($serialized)
    {
        list($this->roles) = unserialize($serialized);
    }
 
}
class UsernamePasswordToken extends AbstractToken {
    private $credentials = null;
    private $providerKey = null;
 
    public function serialize()
    {
        return serialize(array($this->credentials, $this->providerKey, parent::serialize()));
    }
 
    public function unserialize($str)
    {
        list($this->credentials, $this->providerKey, $parentStr) = unserialize($str);
        parent::unserialize($parentStr);
    }
}
 
$token = new UsernamePasswordToken();
$webshop = new Webshop;
$permission = new Permission;
$roles = array();
for ($i = 0; $i < 2; $i++) {
    $roles[$i] = new UserPermission();
    $roles[$i]->webshop = $webshop;
    $roles[$i]->permission = $permission;
}
$token->roles = $roles;
var_dump(unserialize(serialize($token)));

Actual result:
--------------
segfault
Backtrace @ https://gist.github.com/anonymous/5720464

Patches

bug65591.phpt (last revision 2013-08-30 09:53 UTC by arjen at react dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-12 11:53 UTC] arjen at react dot com
-PHP Version: 5.4Git-2013-08-30 (Git) +PHP Version: 5.5.6
 [2013-12-12 11:53 UTC] arjen at react dot com
Still crashes, see http://3v4l.org/QFDDc
 [2014-05-22 11:41 UTC] arjen at react dot com
This is fixed on the PHPNG (PHP 5.7) branch: http://3v4l.org/QFDDc#v57@20140507
 [2014-12-06 14:39 UTC] andrzej at code dot eu
Problem is not resolved. It can bee seeing on url http://3v4l.org/PBT99
in UsernamePasswordToken->roles[0]->webshop is ok but UsernamePasswordToken->roles[1]->webshop is array not instance of Webshop class
 [2015-04-21 20:15 UTC] dimon dot ksk at gmail dot com
Additional example:

http://3v4l.org/gMDup
https://gist.github.com/dimarick/2a116047282baecd17e8

This bug occured when serialize calls from \Serializable::serialize() more then once, and in serialized data one object instance used once or more.

Helpful code references: 
https://github.com/php/php-src/blob/PHP-5.5.24/ext/standard/var.c#L576
https://github.com/php/php-src/blob/PHP-5.5.24/ext/standard/var.c#L726
 [2017-01-01 12:12 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-01-01 12:12 UTC] nikic@php.net
The PHP 7 issue is a duplicate of bug #70767, which is resolved as of PHP 7.0.14. Bug #66085 may also be playing into this on PHP 5.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Oct 18 06:01:27 2019 UTC