Edit report at https://bugs.php.net/bug.php?id=62836&edit=1
ID: 62836
Updated by: larue...@php.net
Reported by: daniel dot beardsley at gmail dot com
Summary: Seg fault or broken object references on
unserialize()
-Status: Open
+Status: Closed
Type: Bug
Package: Reproducible crash
Operating System: CentOS
PHP Version: 5.4.5
-Assigned To:
+Assigned To: laruence
Block user comment: N
Private report: N
New Comment:
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
For Windows:
http://windows.php.net/snapshots/
Thank you for the report, and for helping us make PHP better.
Previous Comments:
------------------------------------------------------------------------
[2012-08-17 10:30:15] larue...@php.net
Automatic comment on behalf of laruence
Revision:
http://git.php.net/?p=php-src.git;a=commit;h=0b23da1c74c52a819b728c78c66c182511223355
Log: Fixed bug #62836 (Seg fault or broken object references on unserialize())
------------------------------------------------------------------------
[2012-08-17 10:26:40] larue...@php.net
Automatic comment on behalf of laruence
Revision:
http://git.php.net/?p=php-src.git;a=commit;h=0b23da1c74c52a819b728c78c66c182511223355
Log: Fixed bug #62836 (Seg fault or broken object references on unserialize())
------------------------------------------------------------------------
[2012-08-16 18:44:38] james at ifixit dot com
I've just reproduced this on a build from master, at commit
b5305d267b6c3b1b09ab0ba4ecf4f66edc5d4077 .
root 11:37:49 serialize > php --version
PHP 5.5.0-dev (cli) (built: Aug 16 2012 11:37:55)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
root 11:39:37 serialize > ./run_test.sh
./run_test.sh: line 3: 2267 Segmentation fault php
unserialize_autoload.php > after.out
Original ==========
in autoload: A
in autoload: B
object(A)#1 (4) {
["b"]=>
object(B)#2 (0) {
}
["b1"]=>
object(B)#2 (0) {
}
["c"]=>
object(B)#3 (0) {
}
["c1"]=>
object(B)#3 (0) {
}
}
Unserialized ======
in autoload: A
in autoload: B
object(A)#1 (4) {
["b"]=>
object(B)#2 (0) {
}
["b1"]=>
object(B)#2 (0) {
}
["c"]=>
object(B)#3 (0) {
}
["c1"]=>
NULL
}
Diff ==============
14,15c14
< object(B)#3 (0) {
< }
---
> NULL
FAILED ============
I built php with the following configure line:
./configure --host=i686-redhat-linux-gnu --build=i686-redhat-linux-gnu \
--target=i386-redhat-linux --program-prefix= --prefix=/usr --exec-prefix=/usr \
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share \
--includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec \
--localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man \
--infodir=/usr/share/info --with-libdir=lib64 --with-config-file-path=/etc \
--with-config-file-scan-dir=/etc/php.d --disable-debug --with-pic \
--disable-rpath --with-bz2 --with-curl --with-exec-dir=/usr/bin \
--with-freetype-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf \
--without-gdbm --with-gettext --with-gmp --with-iconv --with-jpeg-dir=/usr \
--with-openssl --with-pcre-regex=/usr --with-zlib --with-layout=GNU \
--enable-exif --enable-ftp --enable-magic-quotes --enable-sockets \
--enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-wddx \
--with-kerberos --enable-shmop --enable-calendar \
--without-sqlite --with-libxml-dir=/usr \
--enable-pcntl --with-imap=/usr/lib64 \
--with-imap-ssl=/usr/local/ssl/include/openssl --enable-mbstring \
--enable-mbregex --with-gd --enable-bcmath --with-xmlrpc=shared \
--with-mysql=mysqlnd --with-mysqli=mysqlnd \
--enable-dom --enable-soap=shared --with-xsl=shared,/usr \
--enable-xmlreader=shared --enable-xmlwriter=shared --with-readline \
--with-mcrypt=/usr/local/include/mcrypt --with-mhash --with-tidy=shared,/usr \
--enable-sigchild --enable-intl --with-apxs2=/usr/sbin/apxs \
--enable-fpm --with-fpm-user=apache --with-fpm-group=apache
------------------------------------------------------------------------
[2012-08-16 08:59:19] daniel dot beardsley at gmail dot com
Description:
------------
Occurs on php 5.4.0, but not on 5.3 (I'll try on other versions soon).
Please run this test from /tmp/serialize/run_tests.sh (see bottom for
explanation)
## Description ##
If calling unserialize() somehow calls back into user code (i.e. autoloading a
class while unserializing it) and user code does another unserialize() (no
matter what it is), object references in the outer unserialization process
won't
be restored correctly. Sometimes the outer call can result in a Segmentation
Fault instead of just broken references.
In particular, object refrerences will often be replaced with a seemingly random
value from your serialized object graph (or NULL).
The call stack at the time of the problem looks like this:
#0 /tmp/serialize/setup.php(6): unserialize('i:4');
#1 [internal function]: __autoload('A')
#2 /tmp/serialize/unserialize_autoload.php(4): unserialize('O:1:"A":4:
{s:1:...')
#3 {main}
The unserialize call in frame #2 returns incorrect results because of the
"recursive" unserialize call in frame #0.
Note:
For reasons that completely escape me, this code seems dependent on the literal
path it's run from. Some paths hide the bug, some cause failure, and some
cause
a SegFault. It's consistent on a per-path basis, but I found no pattern.
Test script:
---------------
https://gist.github.com/3353895
Expected result:
----------------
Before and After output should be the same. Last line of output should read:
"Passed, no differences"
Before Serialization:
class A#1 (4) {
public $b =>
class B#2 (0) {
}
public $b1 =>
class B#2 (0) {
}
public $c =>
class B#3 (0) {
}
public $c1 =>
class B#3 (0) {
}
}
Actual result:
--------------
After Serialization:
class A#1 (4) {
public $b =>
class B#2 (0) {
}
public $b1 =>
string(2) "1\000"
public $c =>
class B#3 (0) {
}
public $c1 =>
NULL
}
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62836&edit=1
