Bug #62836 [Com]: Seg fault or broken object references on unserialize()

[james at ifixit dot com]

Edit report at https://bugs.php.net/bug.php?id=62836&edit=1

 ID:                 62836
 Comment by:         james at ifixit dot com
 Reported by:        daniel dot beardsley at gmail dot com
 Summary:            Seg fault or broken object references on
                     unserialize()
 Status:             Open
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   CentOS
 PHP Version:        5.4.5
 Block user comment: N
 Private report:     N

 New Comment:

I've just reproduced this on a build from master, at commit 
b5305d267b6c3b1b09ab0ba4ecf4f66edc5d4077 .

root 11:37:49 serialize > php --version
PHP 5.5.0-dev (cli) (built: Aug 16 2012 11:37:55)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
root 11:39:37 serialize > ./run_test.sh
./run_test.sh: line 3:  2267 Segmentation fault      php 
unserialize_autoload.php > after.out
Original ==========
in autoload: A
in autoload: B
object(A)#1 (4) {
  ["b"]=>
  object(B)#2 (0) {
  }
  ["b1"]=>
  object(B)#2 (0) {
  }
  ["c"]=>
  object(B)#3 (0) {
  }
  ["c1"]=>
  object(B)#3 (0) {
  }
}

Unserialized ======
in autoload: A
in autoload: B
object(A)#1 (4) {
  ["b"]=>
  object(B)#2 (0) {
  }
  ["b1"]=>
  object(B)#2 (0) {
  }
  ["c"]=>
  object(B)#3 (0) {
  }
  ["c1"]=>
  NULL
}

Diff ==============
14,15c14
<   object(B)#3 (0) {
<   }
---
>   NULL
FAILED ============

I built php with the following configure line:

./configure  --host=i686-redhat-linux-gnu --build=i686-redhat-linux-gnu \
--target=i386-redhat-linux --program-prefix= --prefix=/usr --exec-prefix=/usr \
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share \
--includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec \
--localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man \
--infodir=/usr/share/info --with-libdir=lib64 --with-config-file-path=/etc \
--with-config-file-scan-dir=/etc/php.d --disable-debug --with-pic \
--disable-rpath --with-bz2 --with-curl --with-exec-dir=/usr/bin \
--with-freetype-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf \
--without-gdbm --with-gettext --with-gmp --with-iconv --with-jpeg-dir=/usr \
--with-openssl --with-pcre-regex=/usr --with-zlib --with-layout=GNU \
--enable-exif --enable-ftp --enable-magic-quotes --enable-sockets \
--enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-wddx \
--with-kerberos  --enable-shmop --enable-calendar \
--without-sqlite --with-libxml-dir=/usr \
--enable-pcntl --with-imap=/usr/lib64 \
--with-imap-ssl=/usr/local/ssl/include/openssl --enable-mbstring \
--enable-mbregex --with-gd --enable-bcmath --with-xmlrpc=shared \
--with-mysql=mysqlnd --with-mysqli=mysqlnd \
--enable-dom --enable-soap=shared --with-xsl=shared,/usr \
--enable-xmlreader=shared --enable-xmlwriter=shared --with-readline \
--with-mcrypt=/usr/local/include/mcrypt --with-mhash --with-tidy=shared,/usr \
--enable-sigchild --enable-intl --with-apxs2=/usr/sbin/apxs \
--enable-fpm --with-fpm-user=apache --with-fpm-group=apache


Previous Comments:
------------------------------------------------------------------------
[2012-08-16 08:59:19] daniel dot beardsley at gmail dot com

Description:
------------
Occurs on php 5.4.0, but not on 5.3 (I'll try on other versions soon).
Please run this test from /tmp/serialize/run_tests.sh (see bottom for 
explanation)

## Description ##

If calling unserialize() somehow calls back into user code (i.e. autoloading a
class while unserializing it) and user code does another unserialize() (no 
matter what it is), object references in the outer unserialization process 
won't 
be restored correctly. Sometimes the outer call can result in a Segmentation 
Fault instead of just broken references.

In particular, object refrerences will often be replaced with a seemingly random
value from your serialized object graph (or NULL).

The call stack at the time of the problem looks like this:

  #0 /tmp/serialize/setup.php(6): unserialize('i:4');
  #1 [internal function]: __autoload('A')
  #2 /tmp/serialize/unserialize_autoload.php(4): unserialize('O:1:"A":4:
{s:1:...')
  #3 {main}

The unserialize call in frame #2 returns incorrect results because of the 
"recursive" unserialize call in frame #0.

Note:
For reasons that completely escape me, this code seems dependent on the literal 
path it's run from.  Some paths hide the bug, some cause failure, and some 
cause 
a SegFault.  It's consistent on a per-path basis, but I found no pattern.  

Test script:
---------------
https://gist.github.com/3353895

Expected result:
----------------
Before and After output should be the same. Last line of output should read: 
"Passed, no differences"

Before Serialization:
class A#1 (4) {
  public $b =>
  class B#2 (0) {
  }
  public $b1 =>
  class B#2 (0) {
  }
  public $c =>
  class B#3 (0) {
  }
  public $c1 =>
  class B#3 (0) {
  }
}

Actual result:
--------------
After Serialization:
class A#1 (4) {
  public $b =>
  class B#2 (0) {
  }
  public $b1 =>
  string(2) "1\000"
  public $c =>
  class B#3 (0) {
  }
  public $c1 =>
  NULL
}



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62836&edit=1