|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73831 NULL Pointer Dereference while unserialize php object
Submitted: 2016-12-29 14:55 UTC Modified: 2017-02-09 10:45 UTC
From: nguyenvuhoang199321 at gmail dot com Assigned: stas (profile)
Status: Closed Package: WDDX related
PHP Version: 7.0.14 OS: ALL
Private report: No CVE-ID: 2016-10162
 [2016-12-29 14:55 UTC] nguyenvuhoang199321 at gmail dot com
Because no checking result of object_init_ex so that if user passing implement class, abstract class the result of this is FALSE and args is NULL, so that lead program crash
		if (class_type->ce_flags & ZEND_ACC_INTERFACE) {
			zend_throw_error(NULL, "Cannot instantiate interface %s", ZSTR_VAL(class_type->name));
		} else if (class_type->ce_flags & ZEND_ACC_TRAIT) {
			zend_throw_error(NULL, "Cannot instantiate trait %s", ZSTR_VAL(class_type->name));
		} else {
			zend_throw_error(NULL, "Cannot instantiate abstract class %s", ZSTR_VAL(class_type->name));
		Z_OBJ_P(arg) = NULL;
		return FAILURE;

	if (UNEXPECTED(!(class_type->ce_flags & ZEND_ACC_CONSTANTS_UPDATED))) {
		if (UNEXPECTED(zend_update_class_constants(class_type) != SUCCESS)) {
			Z_OBJ_P(arg) = NULL;
			return FAILURE;

	if (class_type->create_object == NULL) {
		ZVAL_OBJ(arg, zend_objects_new(class_type));
		if (properties) {
			object_properties_init_ex(Z_OBJ_P(arg), properties);
		} else {
			object_properties_init(Z_OBJ_P(arg), class_type);
	} else {
		ZVAL_OBJ(arg, class_type->create_object(class_type));
	return SUCCESS;
object_init_ex(&obj, pce);

							/* Merge current hashtable with object's default properties */
											zval_add_ref, 0);

Test script:
$xml = <<<EOF
<?xml version="1.0" ?>
<wddxPacket version="1.0">
		<var name="php_class_name">
	$wddx = wddx_deserialize($xml);


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-01 04:15 UTC]
-PHP Version: 7.1Git-2016-12-29 (Git) +PHP Version: 7.0.14 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2017-01-01 04:15 UTC]
The fix is in security repo as 8d2539fa0faf3f63e1d1e7635347c5b9e777d47b and in

please verify
 [2017-01-02 11:53 UTC] nguyenvuhoang199321 at gmail dot com
Bug is fixed
 [2017-01-03 05:39 UTC]
Automatic comment on behalf of stas
Log: Fix bug #73831 - NULL Pointer Dereference while unserialize php object
 [2017-01-03 05:39 UTC]
-Status: Assigned +Status: Closed
 [2017-01-25 11:11 UTC]
-CVE-ID: needed +CVE-ID: 2016-10162
 [2017-02-04 19:17 UTC] riosjp885 at gmail dot com
hey i have a copy of packet of book all about PHP 7.0 from United Kingdom actually my older brother from switzerland gsave me a copy of this book, and it has an amazing info. so anyways, i was just wondering if we can work together on re-formatting/re-building the components of these book. please reply back on my gmail
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Oct 31 11:01:24 2020 UTC