php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78438 Corruption when __unserializing deeply nested structures
Submitted: 2019-08-21 15:26 UTC Modified: 2019-08-23 09:42 UTC
From: risto at live dot nl Assigned: cmb (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4.0beta2 OS: Linux; Fedora 30
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: risto at live dot nl
New email:
PHP Version: OS:

 

 [2019-08-21 15:26 UTC] risto at live dot nl 
Description:
------------
Data corruption seems to occur when using PHP 7.4s new __serialize and __unserialize functionality in deeply nested data structures. 

Test script:
---------------
Tested on PHP 7.4.0beta4 (cli) (built: Aug 20 2019 14:09:23) ( NTS )

However the bug has been observed in beta 1 and 2 as well.

See https://gist.github.com/Devristo/878f4dbd9e30ee3a3c235f0d2ef3431d for a reproducer.

And https://github.com/symfony/symfony/issues/33214 for the issue in the wild.

Expected result:
----------------
When running the script I expect the unserialization to succeed as it does for deeply nested structures, as it does for the smaller sized examples in the reproducer.

Actual result:
--------------
It seems that in the deeply nested examples in the reproducer unserialization fails with errors like:

 - Argument 1 passed to X::__unserialize() must be of the type array, unknown given
 - Argument 1 passed to X::__unserialize() must be of the type array, int given

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-22 14:51 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Class/Object related +Package: Scripting Engine problem
 [2019-08-22 14:51 UTC] cmb@php.net 
The basic problem is that we're using two slots[1], which doesn't
work if the slots are distributed across two elements of the
linked list, in which case the first slot is in the list element
*after* the second slot.

There is also an issue with `VAR_DTOR_ENTRIES_MAX`[2] which doesn't
match the actual definition[3] and at least wastes memory.

[1] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/standard/var_unserializer.re#L653-L660>
[2] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/standard/var_unserializer.re#L26>
[3] <https://github.com/php/php-src/blob/php-7.4.0beta4/ext/standard/var_unserializer.re#L43>
 [2019-08-22 15:19 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #78438: Corruption when __unserializing deeply nested structures
On GitHub:  https://github.com/php/php-src/pull/4608
Patch:      https://github.com/php/php-src/pull/4608.patch
 [2019-08-23 09:42 UTC] cmb@php.net
-Summary: Data corruption when using __serialize and __unserialize in nested structures +Summary: Corruption when __unserializing deeply nested structures -Assigned To: +Assigned To: cmb
 [2019-08-23 09:43 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ca265eb54510ff9513abf37a05e40de0a8a50789
Log: Fix #78438: Corruption when __unserializing deeply nested structures
 [2019-08-23 09:43 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 05:01:28 2024 UTC