|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75006 Memory Corruption in Extended SplFixedArray
Submitted: 2017-07-30 14:22 UTC Modified: 2020-06-10 10:58 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: taoguangchen at icloud dot com Assigned: nikic (profile)
Status: Closed Package: SPL related
PHP Version: 5.6.31 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:


 [2017-07-30 14:22 UTC] taoguangchen at icloud dot com
Memory Corruption in Extended SplFixedArray

SPL_METHOD(SplFixedArray, __wakeup)
	spl_fixedarray_object *intern = (spl_fixedarray_object *) zend_object_store_get_object(getThis() TSRMLS_CC);
	HashPosition ptr;
	HashTable *intern_ht = zend_std_get_properties(getThis() TSRMLS_CC);

An extended SplFixedArray can contains some properties. In during SplFixedArray deserialization, the deserialized properties will be cleaned. Then destructor call with uninitialized properties that result in memory corruption.

class obj extends SplFixedArray {
	var $prop;
	function __destruct() {
		if ($this->prop) {
			// doing whatever


$wddx = <<<EOT
<?xml version='1.0'?>
<wddxPacket version='1.0'>
			<var name='php_class_name'>
			<var name='prop'>



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-31 12:45 UTC]
Unserialize must not be used on untrusted input.
We don't consider issues in unserialize as security vulnerabilities - removing Private flag...
 [2017-08-02 17:23 UTC]
-Type: Security +Type: Bug
 [2020-06-10 10:58 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-06-10 10:58 UTC]
Can't reproduce any corruption on current PHP versions. I believe this got fixed when the delayed wakeup was introduced.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 23 16:01:29 2024 UTC