|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72134 igbinary_unserialize causes segfault on 3rd call for objects with dynamic prope
Submitted: 2016-05-01 16:44 UTC Modified: 2017-09-24 00:00 UTC
Avg. Score:4.0 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:1 (33.3%)
From: jakubsacha at gmail dot com Assigned: tandre (profile)
Status: Closed Package: igbinary (PECL)
PHP Version: 7.0.6 OS:
Private report: No CVE-ID: None
 [2016-05-01 16:44 UTC] jakubsacha at gmail dot com
3rd call on igbinary_unserialize ends up with segmentation fault. Test attached.

Test script:
igbinary_unserialize causes segfault on 3rd call for objects with dynamic property
class Obj
    public $bar = "test";
$value = new Obj();
$value->i = 1;

$igb = igbinary_serialize($value);
for ($i=0; $i<=30; $i++)
    // This might segfault at the third attempt
    echo igbinary_unserialize($igb)->bar . PHP_EOL;

Expected result:

Actual result:
Segmentation fault



Program received signal SIGSEGV, Segmentation fault.
0x000000000092af96 in _zend_is_inconsistent (ht=0x0, file=0xf4eea7 "/usr/src/php/Zend/zend_hash.c", line=1981) at /usr/src/php/Zend/zend_hash.c:47
47              if ((ht->u.flags & HASH_MASK_CONSISTENCY) == HT_OK) {
(gdb) bt
#0  0x000000000092af96 in _zend_is_inconsistent (ht=0x0, file=0xf4eea7 "/usr/src/php/Zend/zend_hash.c", line=1981) at /usr/src/php/Zend/zend_hash.c:47
#1  0x0000000000930c71 in zend_hash_find (ht=0x0, key=0x7ffff2202c00) at /usr/src/php/Zend/zend_hash.c:1981
#2  0x00007ffff1ffb9ed in igbinary_unserialize_array (igsd=0x7fffffffab50, t=igbinary_type_array8, z=0x7ffff2214141, flags=1) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:2018
#3  0x00007ffff1ffc4b4 in igbinary_unserialize_object (igsd=0x7fffffffab50, t=igbinary_type_array8, z=0x7ffff2214140, flags=0) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:2224
#4  0x00007ffff1ffcbbf in igbinary_unserialize_zval (igsd=0x7fffffffab50, z=0x7ffff2214140, flags=0) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:2371
#5  0x00007ffff1ff813d in igbinary_unserialize (buf=0x7ffff2258a98 "", buf_len=27, z=0x7ffff2214140) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:455
#6  0x00007ffff1ff81e6 in zif_igbinary_unserialize (execute_data=0x7ffff2214190, return_value=0x7ffff2214140) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:478
#7  0x000000000097570e in ZEND_DO_ICALL_SPEC_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:586
#8  0x000000000097513a in execute_ex (ex=0x7ffff2214030) at /usr/src/php/Zend/zend_vm_execute.h:414
#9  0x000000000097524f in zend_execute (op_array=0x7ffff227e000, return_value=0x0) at /usr/src/php/Zend/zend_vm_execute.h:458
#10 0x000000000091a7c9 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php/Zend/zend.c:1427
#11 0x000000000088d472 in php_execute_script (primary_file=0x7fffffffe2a0) at /usr/src/php/main/main.c:2494
#12 0x00000000009da0e8 in do_cli (argc=2, argv=0x12c3590) at /usr/src/php/sapi/cli/php_cli.c:974
#13 0x00000000009db08c in main (argc=2, argv=0x12c3590) at /usr/src/php/sapi/cli/php_cli.c:1344


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-24 00:00 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: tandre
 [2017-09-24 00:00 UTC]
I'm unable to reproduce this bug in igbinary 2.0.1, 2.0.4, etc (with/without valgrind)

This bug only affected the 2.0.0 betas and release candidates, which had known memory management errors and crashes. (The bug was created on May 2016, the official 2.0.0 release was in November 2016. Also, see the path:  /usr/src/php/ext/ext-php7-igbinary-rc1).
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 15 18:01:29 2024 UTC