php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72960 unserialize DOMConfiguration causes stack-overflow
Submitted: 2016-08-29 03:32 UTC Modified: 2016-08-29 08:48 UTC
From: fernando at null-life dot com Assigned:
Status: Open Package: *General Issues
PHP Version: 5.6.25 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-08-29 03:32 UTC] fernando at null-life dot com
Description:
------------
Wrong serialized string causes infinite recursion and finally stack exhaustion, when we try to deserialize "DOMConfiguration" class.


Test script:
---------------
<?php

$x = 'O:16:"DOMConfiguration":1:{s:1:"A";r:1;}';
var_dump(unserialize($x));

Expected result:
----------------
object(DOMConfiguration)#1 (1) {
  ["A"]=>
  *RECURSION*
}

Actual result:
--------------
object(DOMConfiguration)#1 (1) {
  ["A"]=>
  object(DOMConfiguration)#1 (1) {
    ["A"]=>
    object(DOMConfiguration)#1 (1) {
      ["A"]=>
      object(DOMConfiguration)#1 (1) {
        ["A"]=>
        object(DOMConfiguration)#1 (1) {
....

---------------------------

ASan output:

==23077==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdf18a8e58 (pc 0x7ff155350bd6 bp 0x7ffdf18a96d0 sp 0x7ffdf18a8e60 T0)
    #0 0x7ff155350bd5 in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbd5)
    #1 0x16bbb2f in memset /usr/include/x86_64-linux-gnu/bits/string3.h:90
    #2 0x16bbb2f in xbuf_format_converter /home/operac/php-src-56/php-src/main/spprintf.c:789
    #3 0x16c4011 in vspprintf /home/operac/php-src-56/php-src/main/spprintf.c:821
    #4 0x1699807 in php_printf /home/operac/php-src-56/php-src/main/main.c:756
    #5 0x14e9e96 in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:67
    #6 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #7 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #8 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #9 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #10 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #11 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #12 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #13 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #14 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #15 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #16 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #17 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #18 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #19 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #20 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #21 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #22 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #23 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #24 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #25 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #26 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #27 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
...

SUMMARY: AddressSanitizer: stack-overflow ??:0 __asan_memset

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-29 08:48 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Jan 28 19:01:26 2020 UTC