|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75006 Memory Corruption in Extended SplFixedArray
Submitted: 2017-07-30 14:22 UTC Modified: 2020-06-10 10:58 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: taoguangchen at icloud dot com Assigned: nikic (profile)
Status: Closed Package: SPL related
PHP Version: 5.6.31 OS: *
Private report: No CVE-ID: None
 [2017-07-30 14:22 UTC] taoguangchen at icloud dot com
Memory Corruption in Extended SplFixedArray

SPL_METHOD(SplFixedArray, __wakeup)
	spl_fixedarray_object *intern = (spl_fixedarray_object *) zend_object_store_get_object(getThis() TSRMLS_CC);
	HashPosition ptr;
	HashTable *intern_ht = zend_std_get_properties(getThis() TSRMLS_CC);

An extended SplFixedArray can contains some properties. In during SplFixedArray deserialization, the deserialized properties will be cleaned. Then destructor call with uninitialized properties that result in memory corruption.

class obj extends SplFixedArray {
	var $prop;
	function __destruct() {
		if ($this->prop) {
			// doing whatever


$wddx = <<<EOT
<?xml version='1.0'?>
<wddxPacket version='1.0'>
			<var name='php_class_name'>
			<var name='prop'>



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-31 12:45 UTC]
Unserialize must not be used on untrusted input.
We don't consider issues in unserialize as security vulnerabilities - removing Private flag...
 [2017-08-02 17:23 UTC]
-Type: Security +Type: Bug
 [2020-06-10 10:58 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-06-10 10:58 UTC]
Can't reproduce any corruption on current PHP versions. I believe this got fixed when the delayed wakeup was introduced.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Oct 18 19:03:35 2021 UTC