php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74096 Unserialize Possible integer overflow in memory allocation
Submitted: 2017-02-14 21:28 UTC Modified: 2017-02-14 21:35 UTC
From: cyoung at tripwire dot com Assigned:
Status: Not a bug Package: *Programming Data Structures
PHP Version: 7.1.2RC1 OS: Linux (4.4.0-59-generic)
Private report: No CVE-ID: None
 [2017-02-14 21:28 UTC] cyoung at tripwire dot com
Description:
------------
It seems like this is a properly handled situation in 7.1.2RC1, but in older versions, there is no Fatal Error making me question if there may be a problem with older PHP (such as version PHP 5.6.17 (cli) (built: Jan  8 2016 10:27:48)).

Unserializing some crafted data leads to this error:
php -r "unserialize('a:1:{i:0;O:1:\"H\":01{}i:0;O:1:\"a\":01{yi:0;O:1:\"a\":3000000000{}i:');"
PHP Fatal error:  Possible integer overflow in memory allocation (3000000001 * 32 + 32) in Command line code on line 1

I am submitting this as a security bug so that someone with better knowledge of PHP internals can make sure this is safe behavior.

Test script:
---------------
php -r "unserialize('a:1:{i:0;O:1:\"H\":01{}i:0;O:1:\"a\":01{yi:0;O:1:\"a\":3000000000{}i:');"


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-02-14 21:35 UTC] stas@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2017-02-14 21:35 UTC] stas@php.net
Don't see an issue here. Looks to be intended behavior, and erroring out on bad data is ok.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 14:01:27 2024 UTC