[PHP-BUG] Bug #63369 [NEW]: (un)serialize() leaves dangling pointers, causes crashes

Fri, 26 Oct 2012 05:23:42 -0700 

From:             tony2001
Operating system: *
PHP version:      5.4Git-2012-10-26 (Git)
Package:          Reproducible crash
Bug Type:         Bug
Bug description:(un)serialize() leaves dangling pointers, causes crashes

Description:
------------
When a fatal error happens in a __sleep/__wakeup function, BG(serialize)
and 
BG(unserialize) contents is left intact and the next request will get those
pointers 
again, even though at that moment they are already freed by Zend memory
manager 
during request shutdown.
If you're lucky, there is a chance you'll reuse them, which causes
immediate crash.
The attached scripts demonstrates the problem with serialize() and I'm
kinda lazy to 
do the same for unserialize(), especially taking into account that the
patch is 
extremely simple.

Test script:
---------------
class bar1 {
        function __sleep() {
                foo();
        }
}

class foo1 {
        function __sleep() {
                var_dump(serialize(array("test", "1", 234)));
                var_dump(serialize(new bar1));
        }
}

$o = new foo1;

var_dump(unserialize('O:8:"stdclass":0:{}')); //to clear
BG(serialize_lock)
var_dump(serialize($o));

Expected result:
----------------
.

Actual result:
--------------
.

-- 
Edit bug report at https://bugs.php.net/bug.php?id=63369&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=63369&r=trysnapshot54
Try a snapshot (PHP 5.3):   
https://bugs.php.net/fix.php?id=63369&r=trysnapshot53
Try a snapshot (trunk):     
https://bugs.php.net/fix.php?id=63369&r=trysnapshottrunk
Fixed in SVN:               https://bugs.php.net/fix.php?id=63369&r=fixed
Fixed in release:           https://bugs.php.net/fix.php?id=63369&r=alreadyfixed
Need backtrace:             https://bugs.php.net/fix.php?id=63369&r=needtrace
Need Reproduce Script:      https://bugs.php.net/fix.php?id=63369&r=needscript
Try newer version:          https://bugs.php.net/fix.php?id=63369&r=oldversion
Not developer issue:        https://bugs.php.net/fix.php?id=63369&r=support
Expected behavior:          https://bugs.php.net/fix.php?id=63369&r=notwrong
Not enough info:            
https://bugs.php.net/fix.php?id=63369&r=notenoughinfo
Submitted twice:            
https://bugs.php.net/fix.php?id=63369&r=submittedtwice
register_globals:           https://bugs.php.net/fix.php?id=63369&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63369&r=php4
Daylight Savings:           https://bugs.php.net/fix.php?id=63369&r=dst
IIS Stability:              https://bugs.php.net/fix.php?id=63369&r=isapi
Install GNU Sed:            https://bugs.php.net/fix.php?id=63369&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=63369&r=float
No Zend Extensions:         https://bugs.php.net/fix.php?id=63369&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=63369&r=mysqlcfg

Reply via email to