unserialize() causes php to segfault
| Bug #34311 | unserialize() causes php to segfault | ||||
|---|---|---|---|---|---|
| Submitted: | 2005-08-30 19:37 UTC | Modified: | 2005-09-05 18:25 UTC | ||
| From: | marco at storm dot ee | Assigned: | |||
| Status: | Closed | Package: | Reproducible crash | ||
| PHP Version: | 5CVS, 4CVS (2005-08-31) | OS: | * | ||
| Private report: | No | CVE-ID: | None | ||
[2005-08-30 19:37 UTC] marco at storm dot ee
Description:
------------
OS: Debian-AMD64, Linux 2.6.12.5
Configure line: configure --enable-debug --with-zlib
gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x00000000004ede39 in php_var_unserialize (rval=0x7fffffd4cc90, p=0x7fffffd4cc58,
max=0x7bb831 "", var_hash=0x7fffffd4cc60)
at /home/marco/soft/php-4.4.0/ext/standard/var_unserializer.c:428
#1 0x00000000004e5045 in zif_unserialize (ht=1, return_value=0x7b45e0, this_ptr=0x0,
return_value_used=0) at /home/marco/soft/php-4.4.0/ext/standard/var.c:716
#2 0x0000000000570876 in execute (op_array=0x7b5200)
at /home/marco/soft/php-4.4.0/Zend/zend_execute.c:1672
#3 0x000000000055aa3d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/marco/soft/php-4.4.0/Zend/zend.c:938
#4 0x000000000051f878 in php_execute_script (primary_file=0x7fffffd4f6b0)
at /home/marco/soft/php-4.4.0/main/main.c:1751
#5 0x00000000005777a3 in main (argc=2, argv=0x7fffffd4f828)
at /home/marco/soft/php-4.4.0/sapi/cli/php_cli.c:828
Segfault reproduced with php4-STABLE-200508300648 and php-4.4.0.
Reproduce code:
---------------
<?php
$fp = fopen('http://194.204.33.43/test.txt', 'r');
$line = fread($fp, 1);
unserialize($line);
fclose($fp);
?>
Expected result:
----------------
no output
Actual result:
--------------
Segmentation fault
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2005-08-31 16:41 UTC] sniper@php.net
Short reproducing script: # php -r 'unserialize("?");' (that's a with ring above it :)[2005-09-05 18:25 UTC] sniper@php.net