From: tony2001 Operating system: Linux 64bit PHP version: 5.4.0beta2 Package: Session related Bug Type: Bug Bug description:invalid read/writes when unserializing specially crafted strings
Description: ------------ The following tests in 5_4 branch: ext/spl/tests/SplObjectStorage_unserialize_bad.phpt ext/session/tests/session_decode_error2.phpt under Valgrind show several issues that might be quite dangerous. This issue exists in 5_4 only and is not reproducible in 5_3 branch. Valgrind log: ==18527== Invalid read of size 1 ==18527== at 0x85E087: php_var_unserialize (var_unserializer.c:532) ==18527== by 0x725681: ps_srlzr_decode_php (session.c:920) ==18527== by 0x7232A8: php_session_decode (session.c:216) ==18527== by 0x7293D7: zif_session_decode (session.c:1854) ==18527== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527== by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527== by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527== by 0x90F847: php_execute_script (main.c:2414) ==18527== by 0xAE214C: do_cli (php_cli.c:983) ==18527== by 0xAE3064: main (php_cli.c:1356) ==18527== Address 0xa1b0595 is 0 bytes after a block of size 5 alloc'd ==18527== at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==18527== by 0x963158: _emalloc (zend_alloc.c:2423) ==18527== by 0x96371F: _estrndup (zend_alloc.c:2596) ==18527== by 0x82D95B: zif_substr (string.c:2269) ==18527== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527== by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527== by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527== by 0x90F847: php_execute_script (main.c:2414) ==18527== by 0xAE214C: do_cli (php_cli.c:983) ==18527== by 0xAE3064: main (php_cli.c:1356) ==18527== ==18527== Invalid read of size 1 ==18527== at 0x85E087: php_var_unserialize (var_unserializer.c:532) ==18527== by 0x85D455: process_nested_data (var_unserializer.re:278) ==18527== by 0x85EC75: php_var_unserialize (var_unserializer.re:604) ==18527== by 0x725681: ps_srlzr_decode_php (session.c:920) ==18527== by 0x7232A8: php_session_decode (session.c:216) ==18527== by 0x7293D7: zif_session_decode (session.c:1854) ==18527== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527== by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527== by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527== by 0x90F847: php_execute_script (main.c:2414) ==18527== by 0xAE214C: do_cli (php_cli.c:983) ==18527== Address 0xa1be08a is 0 bytes after a block of size 10 alloc'd ==18527== at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==18527== by 0x963158: _emalloc (zend_alloc.c:2423) ==18527== by 0x96371F: _estrndup (zend_alloc.c:2596) ==18527== by 0x82D95B: zif_substr (string.c:2269) ==18527== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527== by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527== by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527== by 0x90F847: php_execute_script (main.c:2414) ==18527== by 0xAE214C: do_cli (php_cli.c:983) ==18527== by 0xAE3064: main (php_cli.c:1356) ==18527== ==18527== Invalid read of size 1 ==18527== at 0x85E087: php_var_unserialize (var_unserializer.c:532) ==18527== by 0x85D5E4: process_nested_data (var_unserializer.re:292) ==18527== by 0x85EC75: php_var_unserialize (var_unserializer.re:604) ==18527== by 0x725681: ps_srlzr_decode_php (session.c:920) ==18527== by 0x7232A8: php_session_decode (session.c:216) ==18527== by 0x7293D7: zif_session_decode (session.c:1854) ==18527== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527== by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527== by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527== by 0x90F847: php_execute_script (main.c:2414) ==18527== by 0xAE214C: do_cli (php_cli.c:983) ==18527== Address 0xa1c928e is 0 bytes after a block of size 14 alloc'd ==18527== at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==18527== by 0x963158: _emalloc (zend_alloc.c:2423) ==18527== by 0x96371F: _estrndup (zend_alloc.c:2596) ==18527== by 0x82D95B: zif_substr (string.c:2269) ==18527== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527== by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527== by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527== by 0x90F847: php_execute_script (main.c:2414) ==18527== by 0xAE214C: do_cli (php_cli.c:983) ==18527== by 0xAE3064: main (php_cli.c:1356) ==18527== SplObjectStorage_unserialize_bad.mem ==32709== Invalid read of size 4 ==32709== at 0x85FC02: php_var_unserialize (zend.h:387) ==32709== by 0x7C65A7: zim_spl_SplObjectStorage_unserialize (spl_observer.c:860) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== ==32709== Invalid write of size 4 ==32709== at 0x85FC0F: php_var_unserialize (zend.h:387) ==32709== by 0x7C65A7: zim_spl_SplObjectStorage_unserialize (spl_observer.c:860) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== ==32709== Invalid write of size 1 ==32709== at 0x85FC2A: php_var_unserialize (zend.h:403) ==32709== by 0x7C65A7: zim_spl_SplObjectStorage_unserialize (spl_observer.c:860) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0495 is 21 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== ==32709== Invalid read of size 1 ==32709== at 0x7C65CB: zim_spl_SplObjectStorage_unserialize (spl_observer.c:864) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0494 is 20 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== ==32709== Invalid read of size 4 ==32709== at 0x982FC8: _zval_ptr_dtor (zend.h:391) ==32709== by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== ==32709== Invalid write of size 4 ==32709== at 0x982FD2: _zval_ptr_dtor (zend.h:391) ==32709== by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== ==32709== Invalid read of size 4 ==32709== at 0x982FE4: _zval_ptr_dtor (zend.h:379) ==32709== by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0490 is 16 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== ==32709== Invalid read of size 8 ==32709== at 0x983009: _zval_ptr_dtor (zend_execute_API.c:437) ==32709== by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0498 is 24 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== ==32709== Invalid read of size 1 ==32709== at 0x98303C: _zval_ptr_dtor (zend_variables.h:32) ==32709== by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0494 is 20 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== ==32709== Invalid free() / delete / delete[] ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C65E8: zim_spl_SplObjectStorage_unserialize (spl_observer.c:865) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Address 0xa1b0480 is 0 bytes inside a block of size 32 free'd ==32709== at 0x4C2599C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32709== by 0x9631D1: _efree (zend_alloc.c:2433) ==32709== by 0x98307F: _zval_ptr_dtor (zend_execute_API.c:439) ==32709== by 0x7C64EC: zim_spl_SplObjectStorage_unserialize (spl_observer.c:845) ==32709== by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==32709== by 0x9D9151: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752) ==32709== by 0x9D6BFD: execute (zend_vm_execute.h:410) ==32709== by 0x998D28: zend_execute_scripts (zend.c:1272) ==32709== by 0x90F847: php_execute_script (main.c:2414) ==32709== by 0xAE214C: do_cli (php_cli.c:983) ==32709== by 0xAE3064: main (php_cli.c:1356) ==32709== Test script: --------------- See these tests: ext/spl/tests/SplObjectStorage_unserialize_bad.phpt ext/session/tests/session_decode_error2.phpt -- Edit bug report at https://bugs.php.net/bug.php?id=60240&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60240&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60240&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60240&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60240&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60240&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60240&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60240&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60240&r=needscript Try newer version: https://bugs.php.net/fix.php?id=60240&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60240&r=support Expected behavior: https://bugs.php.net/fix.php?id=60240&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60240&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60240&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60240&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60240&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=60240&r=dst IIS Stability: https://bugs.php.net/fix.php?id=60240&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60240&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60240&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60240&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60240&r=mysqlcfg
