php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66120 Segfault when unserializing session
Submitted: 2013-11-19 19:07 UTC Modified: 2014-12-30 10:42 UTC
From: jan dot prachar at gmail dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 5.5.6 OS: Linux x86_64
Private report: No CVE-ID: None
 [2013-11-19 19:07 UTC] jan dot prachar at gmail dot com
Description:
------------
Segfault in __wakeup method when unserializing object from session

Test script:
---------------
class BusinessObject {
    private $properties;
    public function __wakeup() {                                                                                                                                                                                   
        $this->properties = null;
    }
}

session content:
... s:32:"w\bo\BussinessObjectproperties";a:9:{s:6:"action";O:16:"ReflectionMethod":2:{s:4:"name";s:9:"getAction";s:5:"class";s:18:"document\test\Form";}s:14:"originalAction";O:16:"ReflectionMethod":2:{s:4:"name";s:17:"getOriginalAction";s:5:"class";s:18:"document\test\Form";}s:14:"relativeAction";O:16:"ReflectionMethod":2:{s:4:"name";s:17:"getRelativeAction";s:5:"class";s:18:"document\test\Form";}s:8:"checksum";O:16:"ReflectionMethod":2:{s:4:"name";s:11:"getChecksum";s:5:"class";s:18:"document\test\Form";}s:7:"enabled";O:16:"ReflectionMethod":2:{s:4:"name";s:10:"getEnabled";s:5:"class";s:18:"document\test\Form";}s:6:"method";O:16:"ReflectionMethod":2:{s:4:"name";s:9:"getMethod";s:5:"class";s:18:"document\test\Form";}s:4:"html";O:16:"ReflectionMethod":2:{s:4:"name";s:7:"getHtml";s:5:"class";s:18:"document\test\Form";}s:6:"params";O:16:"ReflectionMethod":2:{s:4:"name";s:9:"getParams";s:5:"class";s:18:"document\test\Form";}s:3:"_id";O:16:"ReflectionMethod":2:{s:4:"name";s:5:"getId";s:5:"class";s:22:"w\bo\mongo\MongoObject";}} ...

Expected result:
----------------
A BusinessObject instance with $properties set to NULL.

Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  zend_std_write_property (object=0x7f89ce1f03e0, member=<optimized out>, value=0x7f89ce1f1ed0, key=<optimized out>) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_object_handlers.c:548
548	/build/buildd/php5-5.5.3+dfsg/Zend/zend_object_handlers.c: No such file or directory.
(gdb) backtrace
#0  zend_std_write_property (object=0x7f89ce1f03e0, member=<optimized out>, value=0x7f89ce1f1ed0, key=<optimized out>) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_object_handlers.c:548
#1  0x00007f89c848ae88 in zend_assign_to_object (key=0x7f89ac9129e8, opcode=136, execute_data=0x7f89cca19548, value_op=<optimized out>, value_type=<optimized out>, property_name=0x7f89ac9129e8, 
    object_ptr=<optimized out>, retval=0x0) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_execute.c:739
#2  ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER (execute_data=0x7f89cca19548) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_vm_execute.h:25069
#3  0x00007f89c8430918 in execute_ex (execute_data=0x7f89cca19548) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_vm_execute.h:356
#4  0x00007f89c523ad7d in xdebug_execute_ex (execute_data=0x7f89cca19548) at /build/buildd/xdebug-2.2.3/build-php5/xdebug.c:1437
#5  0x00007f89c83f9188 in zend_call_function (fci=fci@entry=0x7fff9f5502f0, fci_cache=<optimized out>, fci_cache@entry=0x0) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_execute_API.c:939
#6  0x00007f89c83f937e in call_user_function_ex (function_table=<optimized out>, object_pp=object_pp@entry=0x7fff9f5504d0, function_name=function_name@entry=0x7fff9f550380, 
    retval_ptr_ptr=retval_ptr_ptr@entry=0x7fff9f550378, param_count=param_count@entry=0, params=params@entry=0x0, no_separation=no_separation@entry=1, symbol_table=symbol_table@entry=0x0)
    at /build/buildd/php5-5.5.3+dfsg/Zend/zend_execute_API.c:727
#7  0x00007f89c817eced in object_common2 (rval=0x7fff9f5504d0, p=0x7fff9f550600, max=<optimized out>, var_hash=0x7fff9f550610, elements=15) at /build/buildd/php5-5.5.3+dfsg/ext/standard/var_unserializer.c:393
#8  0x00007f89c8379d4a in php_var_unserialize (rval=rval@entry=0x7fff9f5504d0, p=p@entry=0x7fff9f550600, max=max@entry=0x7f89ce1dcd6c "", var_hash=var_hash@entry=0x7fff9f550610)
    at /build/buildd/php5-5.5.3+dfsg/ext/standard/var_unserializer.c:740
#9  0x00007f89c817e8dc in process_nested_data (p=p@entry=0x7fff9f550600, max=max@entry=0x7f89ce1dcd6c "", var_hash=var_hash@entry=0x7fff9f550610, ht=0x7f89ce1e2190, elements=1, elements@entry=3, 
    objprops=objprops@entry=0, rval=0x7fff9f550608) at /build/buildd/php5-5.5.3+dfsg/ext/standard/var_unserializer.c:286
#10 0x00007f89c8379a94 in php_var_unserialize (rval=rval@entry=0x7fff9f550608, p=p@entry=0x7fff9f550600, max=max@entry=0x7f89ce1dcd6c "", var_hash=var_hash@entry=0x7fff9f550610)
    at /build/buildd/php5-5.5.3+dfsg/ext/standard/var_unserializer.c:776
#11 0x00007f89c82a344d in ps_srlzr_decode_php (val=<optimized out>, vallen=<optimized out>) at /build/buildd/php5-5.5.3+dfsg/ext/session/session.c:992
#12 0x00007f89c82a210a in php_session_decode (val=<optimized out>, vallen=<optimized out>) at /build/buildd/php5-5.5.3+dfsg/ext/session/session.c:224
#13 0x00007f89c82a599c in php_session_initialize () at /build/buildd/php5-5.5.3+dfsg/ext/session/session.c:508
#14 0x00007f89c82a6135 in php_session_start () at /build/buildd/php5-5.5.3+dfsg/ext/session/session.c:1503
#15 0x00007f89c82a7079 in zif_session_start (ht=<optimized out>, return_value=0x7f89ce298ed8, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /build/buildd/php5-5.5.3+dfsg/ext/session/session.c:1963


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-19 19:12 UTC] jan dot prachar at gmail dot com
The backtrace is from 5.5.3, I tried also latest stable 5.5.6 with the same result.
 [2014-02-17 22:34 UTC] yohgaki@php.net
-Status: Open +Status: Feedback
 [2014-02-17 22:34 UTC] yohgaki@php.net
Do you have crash without xdebug?
 [2014-02-27 15:17 UTC] jan dot prachar at gmail dot com
I don't have, but I could try to produce one, if it is necessary.
 [2014-12-30 10:42 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 09:01:27 2024 UTC