unserialize crash

sniper Tue, 09 Mar 2004 06:01:50 -0800

 ID:               27484
 Updated by:       [EMAIL PROTECTED]
 Reported By:      friosa at pnpitalia dot it
-Status:           Open
+Status:           Feedback
 Bug Type:         Reproducible crash
 Operating System: Linux 2.4.18-4GB
 PHP Version:      5CVS-2004-03-03 (dev)
 New Comment:


The serialized string in your example code is invalid.

Please provide a working version and WITHOUT the base64 encoding!!




Previous Comments:
------------------------------------------------------------------------

[2004-03-03 15:32:29] friosa at pnpitalia dot it

Description:
------------
investigating on bug #27469 I've tryed to serialize an object that used
was crashing php + apache.

Trying to unserialize it on php 4.x produces a boolean true variable,
doing the same on php 5 cvs create a crash but in a different
fx/program (php_var_serialize_class_name / var.c).









Reproduce code:
---------------
<?php

$mime_part=unserialize(base64_decode("TzoxMjoiTUlNRV9NZXNzYWdlIjoxOTp7czo2OiJfYnVpbGQiO2I6MTtzOjE0OiJfZGVmYXVsdFNlcnZlciI7czo4OiJ3d3cyLnBucCI7czo1OiJfdHlwZSI7czo0OiJ0ZXh0IjtzOjg6Il9zdWJ0eXBlIjtpOjA7czo5OiJfY29udGVudHMiO3M6MDoiIjtzOjE3OiJfdHJhbnNmZXJFbmNvZGluZyI7czo0OiI3Yml0IjtzOjExOiJfZW5jb2RlN2JpdCI7YjoxO3M6MTI6Il9kZXNjcmlwdGlvbiI7czowOiIiO3M6MTI6Il9kaXNwb3NpdGlvbiI7czo2OiJpbmxpbmUiO3M6MjI6Il9kaXNwb3NpdGlvblBhcmFtZXRlcnMiO2E6MDp7fXM6MjI6Il9jb250ZW50VHlwZVBhcmFtZXRlcnMiO2k6MDtzOjY6Il9wYXJ0cyI7YTowOnt9czoxMjoiX2luZm9ybWF0aW9uIjtpOjA7czo2OiJfYnl0ZXMiO3I6MTtzOjU6Il9jaWRzIjthOjA6e31zOjc6Il9taW1laWQiO2k6MDtzOjQ6Il9lb2wiO3M6MToiCiI7czo2OiJfZmxhZ3MiO2k6MDtzOjY6Il9pZG1hcCI7YTowOnt9fQ=="));$pluto=unserialize(base64_decode("TzoxMjoiSU1QX0NvbnRlbnRzIjoxNTp7czo1OiJfYm9keSI7czowOiIiO3M6OToiX2JvZHlwYXJ0IjthOjA6e31zOjY6Il9pbmRleCI7czozOiIxMDQiO3M6NjoiX3N0cmlwIjtiOjA7czo4OiJfbWVzc2FnZSI7TzoxMjoiTUlNRV9NZXNzYWdlIjoxOTp7czo2OiJfYnVpbGQiO2I6MTtzOjE0OiJfZGVmYXVsdFNlcnZlciI7czo4OiJ3d3cyLnBucCI7czo1OiJfdHlwZSI7czo0OiJ0ZXh0IjtzOjg6Il9zdWJ0eXBlIjtpOjA7czo5OiJfY29udGVudHMiO3M6MDoiIjtzOjE3OiJfdHJhbnNmZXJFbmNvZGluZyI7czo0OiI3Yml0IjtzOjExOiJfZW5jb2RlN2JpdCI7YjoxO3M6MTI6Il9kZXNjcmlwdGlvbiI7czowOiIiO3M6MTI6Il9kaXNwb3NpdGlvbiI7czo2OiJpbmxpbmUiO3M6MjI6Il9kaXNwb3NpdGlvblBhcmFtZXRlcnMiO2E6MDp7fXM6MjI6Il9jb250ZW50VHlwZVBhcmFtZXRlcnMiO2k6MDtzOjY6Il9wYXJ0cyI7YTowOnt9czoxMjoiX2luZm9ybWF0aW9uIjtpOjA7czo2OiJfYnl0ZXMiO3M6MDoiIjtzOjU6Il9jaWRzIjthOjA6e31zOjc6Il9taW1laWQiO2k6MDtzOjQ6Il9lb2wiO3M6MToiCiI7czo2OiJfZmxhZ3MiO2k6MDtzOjY6Il9pZG1hcCI7YTowOnt9fXM6NDoiX2F0YyI7YTowOnt9czo2OiJfcGFydHMiO2E6MDp7fXM6ODoiX3N1bW1hcnkiO2E6MDp7fXM6MTU6Il9zZXNzaW9uQ2FjaGVJRCI7TjtzOjEyOiJfdmlld2VyQ2FjaGUiO2E6MDp7fXM6MTI6Il9kaXNwbGF5VHlwZSI7czo0OiJsaXN0IjtzOjg6Il9taW1la2V5IjtOO3M6NzoiX3ZpZXdJRCI7YToyOntzOjg6ImRvd25sb2FkIjtzOjQzOiJmYWlsZWQgdG8gZmx1c2ggYnVmZmVyLiBObyBidWZmZXIgdG8gZmx1c2guIjtzOjQ6InZpZXciO3M6MTE6InZpZXdfYXR0YWNoIjt9czo2OiJfbGlua3MiO2I6MTtzOjU6Il9iYXNlIjtOO30="));



$pluto->buildMessagePart($mime_part);

define('MIME_CONTENTS_CACHE', 'mimecache');

class MIME_Contents {

    function MIME_Contents($messageOb, $viewID = array(), $contents =
array()) {}

    function buildMessagePart(&$mime_part)

    {

        $msg = '';

// CRASH HERE        

echo "<pre>" . addslashes(serialize($mime_part)) . "</pre>";

        return $msg;

    }

}



class IMP_Contents extends MIME_Contents {

    function IMP_Contents($index)   {}

}

?>



Actual result:
--------------
Bug #27469      zend_variables.c problem

Submitted:      2 Mar 6:00pm EST        Modified:       3 Mar 4:32am EST

From:   friosa at pnpitalia dot it

Status: Feedback        Category:       Zend Engine 2 problem

Version:        5.0.0b4 (beta4)         OS:     Linux 2.4.18-4GB



gdb ./httpd

(gdb) run -X

Starting program: /TEST/apache/bin/./httpd -X

[New Thread 1024 (LWP 17036)]

Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 1024 (LWP 17036)]



0x4035080f in memcpy () from /lib/libc.so.6

(gdb) bt

#0  0x4035080f in memcpy () from /lib/libc.so.6

#1  0x405f8b0b in php_var_serialize_class_name (buf=0xbfffc4dc,
struc=0x16f1520) at /TEST/php5-200403022230/ext/standard/var.c:480

#2  0x40698d73 in zend_do_fcall_common_helper (execute_data=0xbfffc850,
opline=0xbfffc4d5, op_array=0xa) at
/TEST/php5-200403022230/Zend/zend_execute.c:2677

#3  0x406703b9 in zend_execute_scripts (type=1081403672,
retval=0x40d0d24c, file_count=516) at
/TEST/php5-200403022230/Zend/zend.c:1041

(gdb)




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=27484&edit=1

#27484 [Opn->Fbk]: serialize / unserialize crash

Reply via email to