php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72134 igbinary_unserialize causes segfault on 3rd call for objects with dynamic prope
Submitted: 2016-05-01 16:44 UTC Modified: 2017-09-24 00:00 UTC
Votes:3
Avg. Score:4.0 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:1 (33.3%)
From: jakubsacha at gmail dot com Assigned: tandre (profile)
Status: Closed Package: igbinary (PECL)
PHP Version: 7.0.6 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jakubsacha at gmail dot com
New email:
PHP Version: OS:

 

 [2016-05-01 16:44 UTC] jakubsacha at gmail dot com
Description:
------------
3rd call on igbinary_unserialize ends up with segmentation fault. Test attached.

Test script:
---------------
--TEST--
igbinary_unserialize causes segfault on 3rd call for objects with dynamic property
--FILE--
<?php
class Obj
{
    public $bar = "test";
}
$value = new Obj();
$value->i = 1;

$igb = igbinary_serialize($value);
for ($i=0; $i<=30; $i++)
{
    // This might segfault at the third attempt
    echo igbinary_unserialize($igb)->bar . PHP_EOL;
}
--EXPECT--
test
test
test


Expected result:
----------------
test
test
test


Actual result:
--------------
test
test
test
Segmentation fault

Termsig=11


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000092af96 in _zend_is_inconsistent (ht=0x0, file=0xf4eea7 "/usr/src/php/Zend/zend_hash.c", line=1981) at /usr/src/php/Zend/zend_hash.c:47
47              if ((ht->u.flags & HASH_MASK_CONSISTENCY) == HT_OK) {
(gdb) bt
#0  0x000000000092af96 in _zend_is_inconsistent (ht=0x0, file=0xf4eea7 "/usr/src/php/Zend/zend_hash.c", line=1981) at /usr/src/php/Zend/zend_hash.c:47
#1  0x0000000000930c71 in zend_hash_find (ht=0x0, key=0x7ffff2202c00) at /usr/src/php/Zend/zend_hash.c:1981
#2  0x00007ffff1ffb9ed in igbinary_unserialize_array (igsd=0x7fffffffab50, t=igbinary_type_array8, z=0x7ffff2214141, flags=1) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:2018
#3  0x00007ffff1ffc4b4 in igbinary_unserialize_object (igsd=0x7fffffffab50, t=igbinary_type_array8, z=0x7ffff2214140, flags=0) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:2224
#4  0x00007ffff1ffcbbf in igbinary_unserialize_zval (igsd=0x7fffffffab50, z=0x7ffff2214140, flags=0) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:2371
#5  0x00007ffff1ff813d in igbinary_unserialize (buf=0x7ffff2258a98 "", buf_len=27, z=0x7ffff2214140) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:455
#6  0x00007ffff1ff81e6 in zif_igbinary_unserialize (execute_data=0x7ffff2214190, return_value=0x7ffff2214140) at /usr/src/php/ext/ext-php7-igbinary-rc1/igbinary.c:478
#7  0x000000000097570e in ZEND_DO_ICALL_SPEC_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:586
#8  0x000000000097513a in execute_ex (ex=0x7ffff2214030) at /usr/src/php/Zend/zend_vm_execute.h:414
#9  0x000000000097524f in zend_execute (op_array=0x7ffff227e000, return_value=0x0) at /usr/src/php/Zend/zend_vm_execute.h:458
#10 0x000000000091a7c9 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php/Zend/zend.c:1427
#11 0x000000000088d472 in php_execute_script (primary_file=0x7fffffffe2a0) at /usr/src/php/main/main.c:2494
#12 0x00000000009da0e8 in do_cli (argc=2, argv=0x12c3590) at /usr/src/php/sapi/cli/php_cli.c:974
#13 0x00000000009db08c in main (argc=2, argv=0x12c3590) at /usr/src/php/sapi/cli/php_cli.c:1344


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-24 00:00 UTC] tandre@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: tandre
 [2017-09-24 00:00 UTC] tandre@php.net
I'm unable to reproduce this bug in igbinary 2.0.1, 2.0.4, etc (with/without valgrind)

This bug only affected the 2.0.0 betas and release candidates, which had known memory management errors and crashes. (The bug was created on May 2016, the official 2.0.0 release was in November 2016. Also, see the path:  /usr/src/php/ext/ext-php7-igbinary-rc1).
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 17:01:35 2019 UTC