php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77298 segfault occurs when add property to unserialized ArrayObject
Submitted: 2018-12-14 11:47 UTC Modified: 2018-12-21 16:46 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: conorycom at gmail dot com Assigned: cmb (profile)
Status: Closed Package: SPL related
PHP Version: 7.3.0 OS: centos7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
25 - 24 = ?
Subscribe to this entry?

 
 [2018-12-14 11:47 UTC] conorycom at gmail dot com
Description:
------------
segfault occurs when add property to unserialized ArrayObject

Test script:
---------------
<?php
// 1
$a = unserialize('C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}');
$a->c = 'test';

// 2
$b = new \ArrayObject;
$b->unserialize('x:i:2;a:0:{};m:a:0:{}x:i:2;a:0:{};m:a:0:{}x:i:2;a:0:{};m:a:0:{}');
$b->c = 'test';

Actual result:
--------------
segfault!

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-14 12:14 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-12-14 12:14 UTC] cmb@php.net
A debug build yields:

php: /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:658: _zend_hash_add_or_update_i: Assertion `(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffffe07442a in __GI_abort () at abort.c:89
#2  0x00007ffffe06be67 in __assert_fail_base (fmt=<optimized out>,
    assertion=assertion@entry=0x85a2820 "(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))",
    file=file@entry=0x85a2780 "/mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c", line=line@entry=658,
    function=function@entry=0x85a2c10 <__PRETTY_FUNCTION__.11061> "_zend_hash_add_or_update_i") at assert.c:92
#3  0x00007ffffe06bf12 in __GI___assert_fail (
    assertion=0x85a2820 "(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))", file=0x85a2780 "/mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c",
    line=658,
    function=0x85a2c10 <__PRETTY_FUNCTION__.11061> "_zend_hash_add_or_update_i") at assert.c:101
#4  0x00000000083b6cfb in _zend_hash_add_or_update_i (
    ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210,
    flag=5) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:658
#5  0x00000000083b75c8 in zend_hash_update_ind (
    ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:828
#6  0x0000000008205e76 in zend_symtable_update_ind (
    ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.h:414
#7  0x0000000008207536 in spl_array_write_dimension_ex (check_inherited=1,
    object=0x7ffffdc1e080, offset=0x7ffffdc72200, value=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:485
#8  0x0000000008207650 in spl_array_write_dimension (object=0x7ffffdc1e080,
    offset=0x7ffffdc72200, value=0x7ffffdc72210)
    at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:521
#9  0x000000000820859f in spl_array_write_property (object=0x7ffffdc1e080,
    member=0x7ffffdc72200, value=0x7ffffdc72210, cache_slot=0x7ffffdc63368)
    at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:885
#10 0x000000000845654c in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CONST_HANDLER
    () at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:40116
#11 0x00000000084717e7 in execute_ex (ex=0x7ffffdc1e030)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:59694
#12 0x00000000084729d7 in zend_execute (op_array=0x7ffffdc7b300,
    return_value=0x0)
    at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:60834
#13 0x00000000083a4956 in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend.c:1568
#14 0x000000000831b289 in php_execute_script (primary_file=0x7ffffffedf10)
    at /mnt/c/Users/cmb/php-dev/php-src/main/main.c:2630
#15 0x00000000084753cb in do_cli (argc=2, argv=0x8afcd10)
    at /mnt/c/Users/cmb/php-dev/php-src/sapi/cli/php_cli.c:997
#16 0x0000000008476281 in main (argc=2, argv=0x8afcd10)
    at /mnt/c/Users/cmb/php-dev/php-src/sapi/cli/php_cli.c:1389
 [2018-12-16 15:20 UTC] cmb@php.net
This regression has apparently been introduced with commit
9cf87aa[1].

[1] <http://git.php.net/?p=php-src.git;a=commit;h=9cf87aa1965504b1cd9dc595a3c6af418a416cfc>
 [2018-12-19 16:27 UTC] jhdxr@php.net
The following pull request has been associated:

Patch Name: fix #77298 segfault occurs when add property to unserialized empty ArrayObject
On GitHub:  https://github.com/php/php-src/pull/3711
Patch:      https://github.com/php/php-src/pull/3711.patch
 [2018-12-21 16:46 UTC] cmb@php.net
-Package: Class/Object related +Package: SPL related -Assigned To: +Assigned To: cmb
 [2018-12-21 16:47 UTC] cmb@php.net
Automatic comment on behalf of jhdxr
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b15189f4d8af396cc5731a7b7eaeb0791cf0bced
Log: Fix #77298: segfault occurs when add property to unserialized empty ArrayObject
 [2018-12-21 16:47 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 21:01:27 2024 UTC