|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75006 Memory Corruption in Extended SplFixedArray
Submitted: 2017-07-30 14:22 UTC Modified: 2017-08-02 17:23 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: taoguangchen at icloud dot com Assigned:
Status: Open Package: SPL related
PHP Version: 5.6.31 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-07-30 14:22 UTC] taoguangchen at icloud dot com
Memory Corruption in Extended SplFixedArray

SPL_METHOD(SplFixedArray, __wakeup)
	spl_fixedarray_object *intern = (spl_fixedarray_object *) zend_object_store_get_object(getThis() TSRMLS_CC);
	HashPosition ptr;
	HashTable *intern_ht = zend_std_get_properties(getThis() TSRMLS_CC);

An extended SplFixedArray can contains some properties. In during SplFixedArray deserialization, the deserialized properties will be cleaned. Then destructor call with uninitialized properties that result in memory corruption.

class obj extends SplFixedArray {
	var $prop;
	function __destruct() {
		if ($this->prop) {
			// doing whatever


$wddx = <<<EOT
<?xml version='1.0'?>
<wddxPacket version='1.0'>
			<var name='php_class_name'>
			<var name='prop'>



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-31 12:45 UTC]
Unserialize must not be used on untrusted input.
We don't consider issues in unserialize as security vulnerabilities - removing Private flag...
 [2017-08-02 17:23 UTC]
-Type: Security +Type: Bug
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Jun 05 08:01:24 2020 UTC