PHP :: Bug #74096 :: Unserialize Possible integer overflow in memory allocation

Bug #74096	Unserialize Possible integer overflow in memory allocation
Submitted:	2017-02-14 21:28 UTC	Modified:	2017-02-14 21:35 UTC
From:	cyoung at tripwire dot com	Assigned:
Status:	Not a bug	Package:	*Programming Data Structures
PHP Version:	7.1.2RC1	OS:	Linux (4.4.0-59-generic)
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2017-02-14 21:28 UTC] cyoung at tripwire dot com

Description:
------------
It seems like this is a properly handled situation in 7.1.2RC1, but in older versions, there is no Fatal Error making me question if there may be a problem with older PHP (such as version PHP 5.6.17 (cli) (built: Jan  8 2016 10:27:48)).

Unserializing some crafted data leads to this error:
php -r "unserialize('a:1:{i:0;O:1:\"H\":01{}i:0;O:1:\"a\":01{yi:0;O:1:\"a\":3000000000{}i:');"
PHP Fatal error:  Possible integer overflow in memory allocation (3000000001 * 32 + 32) in Command line code on line 1

I am submitting this as a security bug so that someone with better knowledge of PHP internals can make sure this is safe behavior.

Test script:
---------------
php -r "unserialize('a:1:{i:0;O:1:\"H\":01{}i:0;O:1:\"a\":01{yi:0;O:1:\"a\":3000000000{}i:');"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-02-14 21:35 UTC] stas@php.net

-Status: Open +Status: Not a bug -Type: Security +Type: Bug

[2017-02-14 21:35 UTC] stas@php.net

Don't see an issue here. Looks to be intended behavior, and erroring out on bad data is ok.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 04:01:28 2024 UTC