|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73331 NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
Submitted: 2016-10-17 13:43 UTC Modified: 2016-12-13 11:51 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: WDDX related
PHP Version: 5.6.27 OS:
Private report: No CVE-ID: 2016-9934
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:


 [2016-10-17 13:43 UTC] taoguangchen at icloud dot com
						object_init_ex(obj, *pce);

The PDORow object will be created in during WDDX packet deserialization.

void pdo_stmt_init(TSRMLS_D)
	pdo_row_ce->create_object = pdo_row_new;
zend_object_value pdo_row_new(zend_class_entry *ce TSRMLS_DC)
	zend_object_value retval;

	retval.handle = zend_objects_store_put(NULL, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_row_free_storage, NULL TSRMLS_CC);
	retval.handlers = &pdo_row_object_handlers;

	return retval;

But the PDORow object isn’t initialized in the pdo_row_new.

										(void (*)(void *)) zval_add_ref,
										(void *) &tmp, sizeof(zval *), 0);

Then the `Z_OBJPROP_P` macro will call to the PDORow object's get_properties handler.

static HashTable *row_get_properties(zval *object TSRMLS_DC)
	pdo_stmt_t * stmt = (pdo_stmt_t *) zend_object_store_get_object(object TSRMLS_CC);
	int i;

	if (stmt == NULL) {
		return NULL;

Thus the row_get_properties will return NULL, this result in NULL pointer dereference.


$wddx = "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>PDORow</string></var></struct></data></wddxPacket>";



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-17 19:48 UTC]
Hmm... not sure PDORow should even be serializable...
 [2016-10-24 01:43 UTC]
-Package: WDDX related +Package: PDO Core
 [2016-10-24 01:43 UTC]
It's actually PDO problem, not WDDX. PDORow should not be unserialized.
 [2016-10-24 01:50 UTC]
-Package: PDO Core +Package: WDDX related
 [2016-10-24 01:50 UTC]
Oops. spoke too soon. Looks like WDDX mishandles all objects which use serialize/unserialize.
 [2016-10-24 03:22 UTC]
The fix is in security repo as 6045de69c7dedcba3eadf7c4bba424b19c81d00d and in

please verify
 [2016-10-24 03:24 UTC]
-Assigned To: +Assigned To: stas
 [2016-10-25 01:43 UTC]
-CVE-ID: +CVE-ID: needed
 [2016-11-16 04:01 UTC]
-Status: Assigned +Status: Closed
 [2016-11-16 04:01 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2016-12-13 11:51 UTC]
-CVE-ID: needed +CVE-ID: 2016-9934
 [2016-12-13 11:51 UTC]
Use CVE-2016-9934. The scope of this CVE is everything fixed by
6045de69c7dedcba3eadf7c4bba424b19c81d00d. We could not immediately
determine whether the new "pdo_row_ce->unserialize =
zend_class_unserialize_deny" line, by itself, could stand as an
independent fix for a subset of the problem.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Jul 13 23:01:29 2024 UTC