|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75006 Memory Corruption in Extended SplFixedArray
Submitted: 2017-07-30 14:22 UTC Modified: 2020-06-10 10:58 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: taoguangchen at icloud dot com Assigned: nikic (profile)
Status: Closed Package: SPL related
PHP Version: 5.6.31 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:


 [2017-07-30 14:22 UTC] taoguangchen at icloud dot com
Memory Corruption in Extended SplFixedArray

SPL_METHOD(SplFixedArray, __wakeup)
	spl_fixedarray_object *intern = (spl_fixedarray_object *) zend_object_store_get_object(getThis() TSRMLS_CC);
	HashPosition ptr;
	HashTable *intern_ht = zend_std_get_properties(getThis() TSRMLS_CC);

An extended SplFixedArray can contains some properties. In during SplFixedArray deserialization, the deserialized properties will be cleaned. Then destructor call with uninitialized properties that result in memory corruption.

class obj extends SplFixedArray {
	var $prop;
	function __destruct() {
		if ($this->prop) {
			// doing whatever


$wddx = <<<EOT
<?xml version='1.0'?>
<wddxPacket version='1.0'>
			<var name='php_class_name'>
			<var name='prop'>



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-31 12:45 UTC]
Unserialize must not be used on untrusted input.
We don't consider issues in unserialize as security vulnerabilities - removing Private flag...
 [2017-08-02 17:23 UTC]
-Type: Security +Type: Bug
 [2020-06-10 10:58 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-06-10 10:58 UTC]
Can't reproduce any corruption on current PHP versions. I believe this got fixed when the delayed wakeup was introduced.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Jun 21 20:01:24 2021 UTC