Bug #52113 [Ver->Csd]: Seg fault after unserializing DatePeriod

derick Mon, 05 Dec 2011 22:23:34 -0800

Edit report at https://bugs.php.net/bug.php?id=52113&edit=1


 ID:                 52113
 Updated by:         der...@php.net
 Reported by:        cmc333333 at gmail dot com
 Summary:            Seg fault after unserializing DatePeriod
-Status:             Verified
+Status:             Closed
 Type:               Bug
 Package:            Date/time related
 Operating System:   Debian Squeeze/Sid
 PHP Version:        5.3.2
 Assigned To:        derick
 Block user comment: N
 Private report:     N

 New Comment:

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------
[2011-11-24 21:47:19] fel...@php.net

Another way to have a related crash:

<?php
class dummy extends DateInterval {
        public function __construct() {
        }
}
$x = new dummy;
$x->y = 1;


0x0000000000447349 in date_interval_write_property (object=0x7ffff7fcb200, 
member=0x7ffff7fcd708, value=0x7ffff7fcb180, key=0x7ffff7fcd708, 
tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/ext/date/php_date.c:3496
3496                    SET_VALUE_FROM_STRUCT(y, "y");
gdb$ bt
#0  0x0000000000447349 in date_interval_write_property (object=0x7ffff7fcb200, 
member=0x7ffff7fcd708, value=0x7ffff7fcb180, key=0x7ffff7fcd708, 
tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/ext/date/php_date.c:3496
#1  0x0000000000af9683 in zend_assign_to_object (retval=0x0, 
object_ptr=0x7ffff7fcf8f0, property_name=0x7ffff7fcd708, value_type=0x1, 
value_op=0x7ffff7fcc7a0, Ts=0x7ffff7f95190, opcode=0x88, key=0x7ffff7fcd708, 
tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/Zend/zend_execute.c:738
#2  0x0000000000bfe0b1 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_HANDLER 
(execute_data=0x7ffff7f950f8, tsrm_ls=0x13ae0c0) at 
/home/felipe/dev/phptrunk/Zend/zend_vm_execute.h:28753
#3  0x0000000000afdab1 in execute (op_array=0x7ffff7fcec00, tsrm_ls=0x13ae0c0) 
at /home/felipe/dev/phptrunk/Zend/zend_vm_execute.h:410
#4  0x0000000000ab5029 in zend_execute_scripts (type=0x8, tsrm_ls=0x13ae0c0, 
retval=0x0, file_count=0x3) at /home/felipe/dev/phptrunk/Zend/zend.c:1272
#5  0x00000000009fa7a5 in php_execute_script (primary_file=0x7fffffffe180, 
tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/main/main.c:2414
#6  0x0000000000c3d2ce in do_cli (argc=0x2, argv=0x7fffffffe538, 
tsrm_ls=0x13ae0c0) at /home/felipe/dev/phptrunk/sapi/cli/php_cli.c:983
#7  0x0000000000c3e519 in main (argc=0x2, argv=0x7fffffffe538) at 
/home/felipe/dev/phptrunk/sapi/cli/php_cli.c:1356

------------------------------------------------------------------------
[2011-01-22 08:45:27] s...@php.net

I meant DateInterval, but true for DatePeriod too.

------------------------------------------------------------------------
[2011-01-22 08:37:47] s...@php.net

DatePeriod, as most others Date* objects, does not have proper serialization 
handler, this is the cause of the segfault.

------------------------------------------------------------------------
[2010-06-18 02:49:51] dtajchre...@php.net

Verified with a fresh checkout. Assigning to Derick. 

david@beirut:~/php/5_3$ sapi/cli/php -v
PHP 5.3.3-dev (cli) (built: Jun 17 2010 19:42:56) 
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies


(gdb) r -ddate.timezone="America/Chicago" /home/david/test.php
Starting program: /home/david/php/5_3/sapi/cli/php -
ddate.timezone="America/Chicago" /home/david/test.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
timelib_rel_time_clone (rel=0x0) at /usr/include/bits/string3.h:52
52        return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  timelib_rel_time_clone (rel=0x0) at /usr/include/bits/string3.h:52
#1  0x0000000000421728 in zim_DatePeriod___construct (ht=<value optimized out>, 
return_value=<value optimized out>, return_value_ptr=<value optimized out>, 
this_ptr=0xde26c8, 
    return_value_used=<value optimized out>) at 
/home/david/php/5_3/ext/date/php_date.c:3752
#2  0x00000000006afd36 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7ffff7e7f050) at /home/david/php/5_3/Zend/zend_vm_execute.h:316
#3  0x00000000006a9e58 in execute (op_array=0xddd8f8) at 
/home/david/php/5_3/Zend/zend_vm_execute.h:107
#4  0x00000000006855da in zend_execute_scripts (type=8, retval=<value optimized 
out>, file_count=3) at /home/david/php/5_3/Zend/zend.c:1194
#5  0x00000000006352ed in php_execute_script (primary_file=<value optimized 
out>) at /home/david/php/5_3/main/main.c:2260
#6  0x000000000070bad0 in main (argc=<value optimized out>, argv=<value 
optimized out>) at /home/david/php/5_3/sapi/cli/php_cli.c:1192

------------------------------------------------------------------------
[2010-06-17 21:49:22] cmc333333 at gmail dot com

Description:
------------
PHP 5.3.2-1 with Suhosin-Patch (cli) (built: Mar 14 2010 00:09:57
Standard Debian packages

Segfault when trying to construct a DatePeriod with an unserialized 
DateInterval.

Test script:
---------------
<?php
$start = new DateTime('2003-01-02 08:00:00');
$end = new DateTime('2003-01-02 12:00:00');
$diff = $start->diff($end);
$p = new DatePeriod($start, $diff, 2);

$diff_s = serialize($diff);

$diff_un = unserialize($diff_s);
//  Will segfault
$p = new DatePeriod($start, $diff_un, 2);


Expected result:
----------------
No Segfault

Actual result:
--------------
#0  timelib_rel_time_clone (rel=0x0) at /usr/include/bits/string3.h:52
#1  0x000000000042de6a in zim_DatePeriod___construct (ht=29638928, 
return_value=0x0, return_value_ptr=0x0, 
    this_ptr=0x1c09668, return_value_used=104)
    at 
/build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/ext/date/php_date.c:3727
#2  0x00007fd3c9990c5c in xdebug_execute_internal 
(current_execute_data=0x7fd3d3bd6068, return_value_used=0)
    at 
/build/buildd-xdebug_2.0.5-1+b1-amd64-qDjrMY/xdebug-2.0.5/build-php5/xdebug.c:1631
#3  0x00000000006cb4c6 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7fd3d3bd6068)
    at 
/build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/Zend/zend_vm_execute.h:315
#4  0x00000000006a29b0 in execute (op_array=0x1c03258)
    at 
/build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/Zend/zend_vm_execute.h:104
#5  0x00007fd3c99908a9 in xdebug_execute (op_array=0x1c03258)
    at 
/build/buildd-xdebug_2.0.5-1+b1-amd64-qDjrMY/xdebug-2.0.5/build-php5/xdebug.c:1562
#6  0x000000000067a64d in zend_execute_scripts (type=0, retval=0x7fffdbd0dd20, 
file_count=3)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/Zend/zend.c:1266
#7  0x0000000000626288 in php_execute_script (primary_file=Cannot access memory 
at address 0x8000dbd0cbb8
)
    at /build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/main/main.c:2288
#8  0x000000000070a992 in main (argc=0, argv=0x2c4bf84)
    at 
/build/buildd-php5_5.3.2-1-amd64-Nz9Pgu/php5-5.3.2/sapi/cli/php_cli.c:1196



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=52113&edit=1

Bug #52113 [Ver->Csd]: Seg fault after unserializing DatePeriod

Reply via email to