|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77298 segfault occurs when add property to unserialized ArrayObject
Submitted: 2018-12-14 11:47 UTC Modified: 2018-12-21 16:46 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: conorycom at gmail dot com Assigned: cmb (profile)
Status: Closed Package: SPL related
PHP Version: 7.3.0 OS: centos7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: conorycom at gmail dot com
New email:
PHP Version: OS:


 [2018-12-14 11:47 UTC] conorycom at gmail dot com
segfault occurs when add property to unserialized ArrayObject

Test script:
// 1
$a = unserialize('C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}');
$a->c = 'test';

// 2
$b = new \ArrayObject;
$b->c = 'test';

Actual result:


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-14 12:14 UTC]
-Status: Open +Status: Verified
 [2018-12-14 12:14 UTC]
A debug build yields:

php: /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:658: _zend_hash_add_or_update_i: Assertion `(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffffe07442a in __GI_abort () at abort.c:89
#2  0x00007ffffe06be67 in __assert_fail_base (fmt=<optimized out>,
    assertion=assertion@entry=0x85a2820 "(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))",
    file=file@entry=0x85a2780 "/mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c", line=line@entry=658,
    function=function@entry=0x85a2c10 <__PRETTY_FUNCTION__.11061> "_zend_hash_add_or_update_i") at assert.c:92
#3  0x00007ffffe06bf12 in __GI___assert_fail (
    assertion=0x85a2820 "(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))", file=0x85a2780 "/mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c",
    function=0x85a2c10 <__PRETTY_FUNCTION__.11061> "_zend_hash_add_or_update_i") at assert.c:101
#4  0x00000000083b6cfb in _zend_hash_add_or_update_i (
    ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210,
    flag=5) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:658
#5  0x00000000083b75c8 in zend_hash_update_ind (
    ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:828
#6  0x0000000008205e76 in zend_symtable_update_ind (
    ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.h:414
#7  0x0000000008207536 in spl_array_write_dimension_ex (check_inherited=1,
    object=0x7ffffdc1e080, offset=0x7ffffdc72200, value=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:485
#8  0x0000000008207650 in spl_array_write_dimension (object=0x7ffffdc1e080,
    offset=0x7ffffdc72200, value=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:521
#9  0x000000000820859f in spl_array_write_property (object=0x7ffffdc1e080,
    member=0x7ffffdc72200, value=0x7ffffdc72210, cache_slot=0x7ffffdc63368)
    at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:885
    () at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:40116
#11 0x00000000084717e7 in execute_ex (ex=0x7ffffdc1e030)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:59694
#12 0x00000000084729d7 in zend_execute (op_array=0x7ffffdc7b300,
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:60834
#13 0x00000000083a4956 in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend.c:1568
#14 0x000000000831b289 in php_execute_script (primary_file=0x7ffffffedf10)
    at /mnt/c/Users/cmb/php-dev/php-src/main/main.c:2630
#15 0x00000000084753cb in do_cli (argc=2, argv=0x8afcd10)
    at /mnt/c/Users/cmb/php-dev/php-src/sapi/cli/php_cli.c:997
#16 0x0000000008476281 in main (argc=2, argv=0x8afcd10)
    at /mnt/c/Users/cmb/php-dev/php-src/sapi/cli/php_cli.c:1389
 [2018-12-16 15:20 UTC]
This regression has apparently been introduced with commit

[1] <;a=commit;h=9cf87aa1965504b1cd9dc595a3c6af418a416cfc>
 [2018-12-19 16:27 UTC]
The following pull request has been associated:

Patch Name: fix #77298 segfault occurs when add property to unserialized empty ArrayObject
On GitHub:
 [2018-12-21 16:46 UTC]
-Package: Class/Object related +Package: SPL related -Assigned To: +Assigned To: cmb
 [2018-12-21 16:47 UTC]
Automatic comment on behalf of jhdxr
Log: Fix #77298: segfault occurs when add property to unserialized empty ArrayObject
 [2018-12-21 16:47 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Feb 19 10:01:28 2020 UTC