php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72960 unserialize DOMConfiguration causes stack-overflow
Submitted: 2016-08-29 03:32 UTC Modified: 2021-08-11 09:50 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: fernando at null-life dot com Assigned: cmb (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6.25 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
4 - 2 = ?
Subscribe to this entry?

 
 [2016-08-29 03:32 UTC] fernando at null-life dot com
Description:
------------
Wrong serialized string causes infinite recursion and finally stack exhaustion, when we try to deserialize "DOMConfiguration" class.


Test script:
---------------
<?php

$x = 'O:16:"DOMConfiguration":1:{s:1:"A";r:1;}';
var_dump(unserialize($x));

Expected result:
----------------
object(DOMConfiguration)#1 (1) {
  ["A"]=>
  *RECURSION*
}

Actual result:
--------------
object(DOMConfiguration)#1 (1) {
  ["A"]=>
  object(DOMConfiguration)#1 (1) {
    ["A"]=>
    object(DOMConfiguration)#1 (1) {
      ["A"]=>
      object(DOMConfiguration)#1 (1) {
        ["A"]=>
        object(DOMConfiguration)#1 (1) {
....

---------------------------

ASan output:

==23077==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdf18a8e58 (pc 0x7ff155350bd6 bp 0x7ffdf18a96d0 sp 0x7ffdf18a8e60 T0)
    #0 0x7ff155350bd5 in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbd5)
    #1 0x16bbb2f in memset /usr/include/x86_64-linux-gnu/bits/string3.h:90
    #2 0x16bbb2f in xbuf_format_converter /home/operac/php-src-56/php-src/main/spprintf.c:789
    #3 0x16c4011 in vspprintf /home/operac/php-src-56/php-src/main/spprintf.c:821
    #4 0x1699807 in php_printf /home/operac/php-src-56/php-src/main/main.c:756
    #5 0x14e9e96 in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:67
    #6 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #7 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #8 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #9 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #10 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #11 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #12 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #13 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #14 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #15 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #16 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #17 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #18 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #19 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #20 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #21 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #22 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #23 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #24 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
    #25 0x14e928c in php_var_dump /home/operac/php-src-56/php-src/ext/standard/var.c:146
    #26 0x14ea11f in php_object_property_dump /home/operac/php-src-56/php-src/ext/standard/var.c:82
    #27 0x19bd175 in zend_hash_apply_with_arguments /home/operac/php-src-56/php-src/Zend/zend_hash.c:701
...

SUMMARY: AddressSanitizer: stack-overflow ??:0 __asan_memset

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-29 08:48 UTC] stas@php.net
-Type: Security +Type: Bug
 [2021-08-11 09:50 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-08-11 09:50 UTC] cmb@php.net
This is fixed as of PHP 7.0.0: <https://3v4l.org/AScS5>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 05:01:28 2024 UTC