ID: 25378
Updated by: [EMAIL PROTECTED]
Reported By: skissane at ics dot mq dot edu dot au
-Status: Open
+Status: Closed
Bug Type: Reproducible crash
Operating System: *
PHP Version: 4.3.4-dev, 5.0.0b2-dev; 5CVS-2003-09-06-0330
New Comment:
Adding more checks for this is pointless.
Just enable the memory limit with --enable-memory-limit configure
option and set the "memory_limit" in your php.ini to a reasonable
amount.
Previous Comments:
------------------------------------------------------------------------
[2003-09-06 01:55:19] skissane at ics dot mq dot edu dot au
The fix in the CVS only partially solves the problem. This reproduce
script still causes a segfault:
echo unserialize("s:99999999:\"\";");
The problem is that the unserialize code is not checking that the
length of the string given in the argument to s is less than the length
of the string given as the argument to unserialize. Large enough
numbers return random junk from memory; even larger numbers segfault.
Negative numbers = very large positive numbers in 2s complement
arithmetic!
------------------------------------------------------------------------
[2003-09-03 11:27:10] [EMAIL PROTECTED]
This bug has been fixed in CVS.
In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
[2003-09-03 05:21:33] skissane at ics dot mq dot edu dot au
Description:
------------
Invalid string data passed to unserialize function causes segfault.
Reproduce code:
---------------
<? unserialize("s:-1:\"\";"); ?>
Expected result:
----------------
No segfault.
Raise an error about data passed to unserialize being invalid.
Actual result:
--------------
#0 0x4207c45c in memcpy () from /lib/tls/libc.so.6
#1 0x081192e0 in _estrndup (s=0xbfffcb04 "\024\220\035\b",
length=136191999) at /home/skissane/php-4.3.3/Zend/zend_alloc.c:387
#2 0x080dae02 in php_var_unserialize (rval=0xbfffcb04, p=0xbfffcae4,
max=0x81d8ffc "", var_hash=0xbfffcae8)
at /home/skissane/php-4.3.3/ext/standard/var_unserializer.c:549
#3 0x080d2d5c in zif_unserialize (ht=1, return_value=0x81d9014,
this_ptr=0x0, return_value_used=0) at
/home/skissane/php-4.3.3/ext/standard/var.c:671
#4 0x081335ea in execute (op_array=0x81dcec4) at
/home/skissane/php-4.3.3/Zend/zend_execute.c:1616
#5 0x08126d0d in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/skissane/php-4.3.3/Zend/zend.c:885
#6 0x081016d7 in php_execute_script (primary_file=0xbfffefc0) at
/home/skissane/php-4.3.3/main/main.c:1723
#7 0x081381f3 in main (argc=2, argv=0xbffff044) at
/home/skissane/php-4.3.3/sapi/cli/php_cli.c:818
#8 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=25378&edit=1
