php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77298 segfault occurs when add property to unserialized ArrayObject
Submitted: 2018-12-14 11:47 UTC Modified: 2018-12-21 16:46 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: conorycom at gmail dot com Assigned: cmb (profile)
Status: Closed Package: SPL related
PHP Version: 7.3.0 OS: centos7
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: conorycom at gmail dot com
New email:
PHP Version: OS:

 

 [2018-12-14 11:47 UTC] conorycom at gmail dot com
Description:
------------
segfault occurs when add property to unserialized ArrayObject

Test script:
---------------
<?php
// 1
$a = unserialize('C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}');
$a->c = 'test';

// 2
$b = new \ArrayObject;
$b->unserialize('x:i:2;a:0:{};m:a:0:{}x:i:2;a:0:{};m:a:0:{}x:i:2;a:0:{};m:a:0:{}');
$b->c = 'test';

Actual result:
--------------
segfault!

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-14 12:14 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-12-14 12:14 UTC] cmb@php.net
A debug build yields:

php: /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:658: _zend_hash_add_or_update_i: Assertion `(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffffe07442a in __GI_abort () at abort.c:89
#2  0x00007ffffe06be67 in __assert_fail_base (fmt=<optimized out>,
    assertion=assertion@entry=0x85a2820 "(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))",
    file=file@entry=0x85a2780 "/mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c", line=line@entry=658,
    function=function@entry=0x85a2c10 <__PRETTY_FUNCTION__.11061> "_zend_hash_add_or_update_i") at assert.c:92
#3  0x00007ffffe06bf12 in __GI___assert_fail (
    assertion=0x85a2820 "(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))", file=0x85a2780 "/mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c",
    line=658,
    function=0x85a2c10 <__PRETTY_FUNCTION__.11061> "_zend_hash_add_or_update_i") at assert.c:101
#4  0x00000000083b6cfb in _zend_hash_add_or_update_i (
    ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210,
    flag=5) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:658
#5  0x00000000083b75c8 in zend_hash_update_ind (
    ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:828
#6  0x0000000008205e76 in zend_symtable_update_ind (
    ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.h:414
#7  0x0000000008207536 in spl_array_write_dimension_ex (check_inherited=1,
    object=0x7ffffdc1e080, offset=0x7ffffdc72200, value=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:485
#8  0x0000000008207650 in spl_array_write_dimension (object=0x7ffffdc1e080,
    offset=0x7ffffdc72200, value=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:521
#9  0x000000000820859f in spl_array_write_property (object=0x7ffffdc1e080,
    member=0x7ffffdc72200, value=0x7ffffdc72210, cache_slot=0x7ffffdc63368)
    at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:885
#10 0x000000000845654c in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CONST_HANDLER
    () at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:40116
#11 0x00000000084717e7 in execute_ex (ex=0x7ffffdc1e030)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:59694
#12 0x00000000084729d7 in zend_execute (op_array=0x7ffffdc7b300,
    return_value=0x0)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:60834
#13 0x00000000083a4956 in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend.c:1568
#14 0x000000000831b289 in php_execute_script (primary_file=0x7ffffffedf10)
    at /mnt/c/Users/cmb/php-dev/php-src/main/main.c:2630
#15 0x00000000084753cb in do_cli (argc=2, argv=0x8afcd10)
    at /mnt/c/Users/cmb/php-dev/php-src/sapi/cli/php_cli.c:997
#16 0x0000000008476281 in main (argc=2, argv=0x8afcd10)
    at /mnt/c/Users/cmb/php-dev/php-src/sapi/cli/php_cli.c:1389
 [2018-12-16 15:20 UTC] cmb@php.net
This regression has apparently been introduced with commit
9cf87aa[1].

[1] <http://git.php.net/?p=php-src.git;a=commit;h=9cf87aa1965504b1cd9dc595a3c6af418a416cfc>
 [2018-12-19 16:27 UTC] jhdxr@php.net
The following pull request has been associated:

Patch Name: fix #77298 segfault occurs when add property to unserialized empty ArrayObject
On GitHub:  https://github.com/php/php-src/pull/3711
Patch:      https://github.com/php/php-src/pull/3711.patch
 [2018-12-21 16:46 UTC] cmb@php.net
-Package: Class/Object related +Package: SPL related -Assigned To: +Assigned To: cmb
 [2018-12-21 16:47 UTC] cmb@php.net
Automatic comment on behalf of jhdxr
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b15189f4d8af396cc5731a7b7eaeb0791cf0bced
Log: Fix #77298: segfault occurs when add property to unserialized empty ArrayObject
 [2018-12-21 16:47 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 08:01:28 2024 UTC