[2005-08-09 07:15 UTC] david dot tulloh at anu dot edu dot au

Description:
------------
The attached code triggers what looks to me like a buffer overflow.  I've been able to reproduce it on two different computers running a current and slightly older version of PHP CVS.  Reproducable through both the CLI and Apache2. 

I stumbled across this while trying to extend SimpleTest and then cut the code back to the smallest reproduceable subset.

I suspect that the problem starts when serializing-deserializing the singleton object.  All the layers of seemingly redundant OOP are then required to bring out the error.  I really have no idea why though. 

originally sent to security@php.net.

Reproduce code:
---------------
http://cmhr118130.anu.edu.au:100/overflow.phps

Expected result:
----------------
ClassWithError::__construct - 42 - type = string(14) "BasicSingleton"
ClassWithError::__construct - 44 - type = string(14) "BasicSingleton" 

Actual result:
--------------
(continues past what's shown):
ClassWithError::__construct - 42 - type = string(14) "BasicSingleton"
ClassWithError::__construct - 44 - type = string(137552044) "tI3                                       P?]d_?l?O`F
&&!?M`OClassWithError9@OO?O`1`O?O 1O?O 1?O?P