From: takanota at alpha dot co dot jp
Operating system: Linux
PHP version: 4.3.6
PHP Bug Type: Reproducible crash
Bug description: crash when serialize() twice to same __PHP_Incomplete_Class object
Description:
------------
When serialize() twice to same __PHP_Incomplete_Class object, php will
crash on second serialize().
I found this problem on apache and cli sapi on Red Hat Linux 9 (2.4.20-8,
not smp).
If memory-limit is enabled, php reports memory-limit error. (try to
allocate over 1G bytes!)
If memory-limit is disabled, php crash with segmentation fault.
It seems that serialize() drops __PHP_Incomplete_Class_Name member.
Reproduce code:
---------------
<?php
$object = unserialize('O:9:"testclass":1:{s:5:"value";i:100;}');
var_dump($object);
echo serialize($object), "\n\n";
var_dump($object);
echo serialize($object), "\n\n";
Expected result:
----------------
object(__PHP_Incomplete_Class)(2) {
["__PHP_Incomplete_Class_Name"]=>
string(9) "testclass"
["value"]=>
int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}
object(__PHP_Incomplete_Class)(2) {
["__PHP_Incomplete_Class_Name"]=>
string(9) "testclass"
["value"]=>
int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}
Actual result:
--------------
object(__PHP_Incomplete_Class)(2) {
["__PHP_Incomplete_Class_Name"]=>
string(9) "testclass"
["value"]=>
int(100)
}
O:9:"testclass":1:{s:5:"value";i:100;}
object(__PHP_Incomplete_Class)(1) {
["value"]=>
int(100)
}
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to
allocate 1107768167 bytes) in /home/takanota/php/serialize.php on line 8
If memory-limit is disabled, php will crash with segmentation fault.
backtrace:
------------
#0 0x4207c1ac in memcpy () from /lib/tls/libc.so.6
#1 0x080afe24 in smart_str_appendl_ex (dest=0xbfffd030, src=0x8159e74
"\204\223\025\b\001", len=1, what=0)
at php_smart_str.h:84
#2 0x080b0070 in php_var_serialize_class_name (buf=0xbfffd030,
struc=0x8159e74)
at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:430
#3 0x080af926 in php_var_serialize_intern (buf=0xbfffd030,
struc=0x8159e74, var_hash=0xbfffd040)
at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:574
#4 0x080afa94 in php_var_serialize (buf=0xbfffd030, struc=0x8159e74,
var_hash=0xbfffd040)
at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:626
#5 0x080afb36 in zif_serialize (ht=1, return_value=0x81592ec,
this_ptr=0x0, return_value_used=1)
at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:649
#6 0x080febe2 in execute (op_array=0x815f48c) at
/home/takanota/local/src/php-4.3.6/Zend/zend_execute.c:1635
#7 0x080eef25 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/takanota/local/src/php-4.3.6/Zend/zend.c:886
#8 0x080bf8aa in php_execute_script (primary_file=0xbffff660) at
/home/takanota/local/src/php-4.3.6/main/main.c:1731
#9 0x081048c9 in main (argc=2, argv=0xbffff6f4) at
/home/takanota/local/src/php-4.3.6/sapi/cli/php_cli.c:822
#10 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6
--
Edit bug report at http://bugs.php.net/?id=28215&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28215&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28215&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=28215&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=28215&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=28215&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=28215&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=28215&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=28215&r=support
Expected behavior: http://bugs.php.net/fix.php?id=28215&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=28215&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=28215&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=28215&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28215&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=28215&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=28215&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=28215&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=28215&r=float
