|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75006 Memory Corruption in Extended SplFixedArray
Submitted: 2017-07-30 14:22 UTC Modified: 2017-08-02 17:23 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: taoguangchen at icloud dot com Assigned:
Status: Open Package: SPL related
PHP Version: 5.6.31 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
18 + 25 = ?
Subscribe to this entry?

 [2017-07-30 14:22 UTC] taoguangchen at icloud dot com
Memory Corruption in Extended SplFixedArray

SPL_METHOD(SplFixedArray, __wakeup)
	spl_fixedarray_object *intern = (spl_fixedarray_object *) zend_object_store_get_object(getThis() TSRMLS_CC);
	HashPosition ptr;
	HashTable *intern_ht = zend_std_get_properties(getThis() TSRMLS_CC);

An extended SplFixedArray can contains some properties. In during SplFixedArray deserialization, the deserialized properties will be cleaned. Then destructor call with uninitialized properties that result in memory corruption.

class obj extends SplFixedArray {
	var $prop;
	function __destruct() {
		if ($this->prop) {
			// doing whatever


$wddx = <<<EOT
<?xml version='1.0'?>
<wddxPacket version='1.0'>
			<var name='php_class_name'>
			<var name='prop'>



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-31 12:45 UTC]
Unserialize must not be used on untrusted input.
We don't consider issues in unserialize as security vulnerabilities - removing Private flag...
 [2017-08-02 17:23 UTC]
-Type: Security +Type: Bug
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri May 29 21:01:25 2020 UTC