#37947 [Asn->Csd]: zend_ptr_stack reallocation problem

Mon, 10 Jul 2006 07:04:39 -0700 

 ID:               37947
 Updated by:       [EMAIL PROTECTED]
 Reported By:      wmeler at wp dot pl
-Status:           Assigned
+Status:           Closed
 Bug Type:         Scripting Engine problem
 Operating System: Linux
 PHP Version:      5.1.5CVS
 Assigned To:      dmitry
 New Comment:

Fixed in CVS HEAD and PHP_5_2.


Previous Comments:
------------------------------------------------------------------------

[2006-06-28 20:19:47] [EMAIL PROTECTED]

Dmitry, could you plz check it out?

------------------------------------------------------------------------

[2006-06-28 14:17:21] wmeler at wp dot pl

Description:
------------
Argument stack reallocations may cause heap corruption or segmentation
faults.

Functions that accept arguments through zend_get_parameters (zval ** -
pointer to zend_ptr_stack element) and running user callbacks that may
need more stack space are affected.

So unserialize (__wakeup), sort functions in 4.4 version, and so on.

Also using complicated user error handler is quite risky.

Reproduce code:
---------------
<?
class test {
        function extend_zend_ptr_stack($count,$a,$b,$c,$d,$e) {
                if ($count>0) $this->extend_zend_ptr_stack($count -
1,$a,$b,$c,$d,$e);
        }

        function __wakeup() {
                $this->extend_zend_ptr_stack(10,'a','b','c','d','e');
        }
}

$str='a:2:{i:0;O:4:"test":0:{}junk';
var_dump(unserialize($str));


Expected result:
----------------
bool(false)


Actual result:
--------------
#0  0x081be837 in zif_unserialize (ht=1, return_value=0x9b97ddc,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at
/root/cvs/php_5_1/ext/standard/var.c:860
#1  0x08234f10 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfec6c80) at
/root/cvs/php_5_1/Zend/zend_vm_execute.h:192
#2  0x082348a1 in execute (op_array=0x9ba611c) at
/root/cvs/php_5_1/Zend/zend_vm_execute.h:92
#3  0x0821acb2 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /root/cvs/php_5_1/Zend/zend.c:1101
#4  0x081e2804 in php_execute_script (primary_file=0xbfec9180) at
/root/cvs/php_5_1/main/main.c:1719
#5  0x08285f9e in main (argc=2, argv=0xbfec9254) at
/root/cvs/php_5_1/sapi/cli/php_cli.c:1090



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=37947&edit=1

Reply via email to