ID: 25378 User updated by: skissane at ics dot mq dot edu dot au Reported By: skissane at ics dot mq dot edu dot au -Status: Closed +Status: Open Bug Type: Reproducible crash Operating System: * -PHP Version: 4.3.4-dev, 5.0.0b2-dev +PHP Version: 4.3.4-dev, 5.0.0b2-dev; 5CVS-2003-09-06-0330 New Comment:
The fix in the CVS only partially solves the problem. This reproduce script still causes a segfault: echo unserialize("s:99999999:\"\";"); The problem is that the unserialize code is not checking that the length of the string given in the argument to s is less than the length of the string given as the argument to unserialize. Large enough numbers return random junk from memory; even larger numbers segfault. Negative numbers = very large positive numbers in 2s complement arithmetic! Previous Comments: ------------------------------------------------------------------------ [2003-09-03 11:27:10] [EMAIL PROTECTED] This bug has been fixed in CVS. In case this was a PHP problem, snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. In case this was a documentation problem, the fix will show up soon at http://www.php.net/manual/. In case this was a PHP.net website problem, the change will show up on the PHP.net site and on the mirror sites in short time. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2003-09-03 05:21:33] skissane at ics dot mq dot edu dot au Description: ------------ Invalid string data passed to unserialize function causes segfault. Reproduce code: --------------- <? unserialize("s:-1:\"\";"); ?> Expected result: ---------------- No segfault. Raise an error about data passed to unserialize being invalid. Actual result: -------------- #0 0x4207c45c in memcpy () from /lib/tls/libc.so.6 #1 0x081192e0 in _estrndup (s=0xbfffcb04 "\024\220\035\b", length=136191999) at /home/skissane/php-4.3.3/Zend/zend_alloc.c:387 #2 0x080dae02 in php_var_unserialize (rval=0xbfffcb04, p=0xbfffcae4, max=0x81d8ffc "", var_hash=0xbfffcae8) at /home/skissane/php-4.3.3/ext/standard/var_unserializer.c:549 #3 0x080d2d5c in zif_unserialize (ht=1, return_value=0x81d9014, this_ptr=0x0, return_value_used=0) at /home/skissane/php-4.3.3/ext/standard/var.c:671 #4 0x081335ea in execute (op_array=0x81dcec4) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1616 #5 0x08126d0d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/skissane/php-4.3.3/Zend/zend.c:885 #6 0x081016d7 in php_execute_script (primary_file=0xbfffefc0) at /home/skissane/php-4.3.3/main/main.c:1723 #7 0x081381f3 in main (argc=2, argv=0xbffff044) at /home/skissane/php-4.3.3/sapi/cli/php_cli.c:818 #8 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=25378&edit=1