php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78438 Corruption when __unserializing deeply nested structures
Submitted: 2019-08-21 15:26 UTC Modified: 2019-08-23 09:42 UTC
From: risto at live dot nl Assigned: cmb (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4.0beta2 OS: Linux; Fedora 30
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: risto at live dot nl
New email:
PHP Version: OS:

 

 [2019-08-21 15:26 UTC] risto at live dot nl
Description:
------------
Data corruption seems to occur when using PHP 7.4s new __serialize and __unserialize functionality in deeply nested data structures. 

Test script:
---------------
Tested on PHP 7.4.0beta4 (cli) (built: Aug 20 2019 14:09:23) ( NTS )

However the bug has been observed in beta 1 and 2 as well.

See https://gist.github.com/Devristo/878f4dbd9e30ee3a3c235f0d2ef3431d for a reproducer.

And https://github.com/symfony/symfony/issues/33214 for the issue in the wild.

Expected result:
----------------
When running the script I expect the unserialization to succeed as it does for deeply nested structures, as it does for the smaller sized examples in the reproducer.

Actual result:
--------------
It seems that in the deeply nested examples in the reproducer unserialization fails with errors like:

 - Argument 1 passed to X::__unserialize() must be of the type array, unknown given
 - Argument 1 passed to X::__unserialize() must be of the type array, int given

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-22 14:51 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Class/Object related +Package: Scripting Engine problem
 [2019-08-22 14:51 UTC] cmb@php.net
The basic problem is that we're using two slots[1], which doesn't
work if the slots are distributed across two elements of the
linked list, in which case the first slot is in the list element
*after* the second slot.

There is also an issue with `VAR_DTOR_ENTRIES_MAX`[2] which doesn't
match the actual definition[3] and at least wastes memory.

[1] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/standard/var_unserializer.re#L653-L660>
[2] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/standard/var_unserializer.re#L26>
[3] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/standard/var_unserializer.re#L43>
 [2019-08-22 15:19 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #78438: Corruption when __unserializing deeply nested structures
On GitHub:  https://github.com/php/php-src/pull/4608
Patch:      https://github.com/php/php-src/pull/4608.patch
 [2019-08-23 09:42 UTC] cmb@php.net
-Summary: Data corruption when using __serialize and __unserialize in nested structures +Summary: Corruption when __unserializing deeply nested structures -Assigned To: +Assigned To: cmb
 [2019-08-23 09:43 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ca265eb54510ff9513abf37a05e40de0a8a50789
Log: Fix #78438: Corruption when __unserializing deeply nested structures
 [2019-08-23 09:43 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 21:01:24 2019 UTC