From: friosa at pnpitalia dot it
Operating system: Linux 2.4.18-4GB
PHP version: 5CVS-2004-03-03 (dev)
PHP Bug Type: Reproducible crash
Bug description: serialize / unserialize crash
Description:
------------
investigating on bug #27469 I've tryed to serialize an object that used
was crashing php + apache.
Trying to unserialize it on php 4.x produces a boolean true variable,
doing the same on php 5 cvs create a crash but in a different fx/program
(php_var_serialize_class_name / var.c).
Reproduce code:
---------------
<?php
$mime_part=unserialize(base64_decode("TzoxMjoiTUlNRV9NZXNzYWdlIjoxOTp7czo2OiJfYnVpbGQiO2I6MTtzOjE0OiJfZGVmYXVsdFNlcnZlciI7czo4OiJ3d3cyLnBucCI7czo1OiJfdHlwZSI7czo0OiJ0ZXh0IjtzOjg6Il9zdWJ0eXBlIjtpOjA7czo5OiJfY29udGVudHMiO3M6MDoiIjtzOjE3OiJfdHJhbnNmZXJFbmNvZGluZyI7czo0OiI3Yml0IjtzOjExOiJfZW5jb2RlN2JpdCI7YjoxO3M6MTI6Il9kZXNjcmlwdGlvbiI7czowOiIiO3M6MTI6Il9kaXNwb3NpdGlvbiI7czo2OiJpbmxpbmUiO3M6MjI6Il9kaXNwb3NpdGlvblBhcmFtZXRlcnMiO2E6MDp7fXM6MjI6Il9jb250ZW50VHlwZVBhcmFtZXRlcnMiO2k6MDtzOjY6Il9wYXJ0cyI7YTowOnt9czoxMjoiX2luZm9ybWF0aW9uIjtpOjA7czo2OiJfYnl0ZXMiO3I6MTtzOjU6Il9jaWRzIjthOjA6e31zOjc6Il9taW1laWQiO2k6MDtzOjQ6Il9lb2wiO3M6MToiCiI7czo2OiJfZmxhZ3MiO2k6MDtzOjY6Il9pZG1hcCI7YTowOnt9fQ=="));$pluto=unserialize(base64_decode("TzoxMjoiSU1QX0NvbnRlbnRzIjoxNTp7czo1OiJfYm9keSI7czowOiIiO3M6OToiX2JvZHlwYXJ0IjthOjA6e31zOjY6Il9pbmRleCI7czozOiIxMDQiO3M6NjoiX3N0cmlwIjtiOjA7czo4OiJfbWVzc2FnZSI7TzoxMjoiTUlNRV9NZXNzYWdlIjoxOTp7czo2OiJfYnVpbGQiO2I6MTtzOjE0OiJfZGVmYXVsdFNlcnZlciI7czo4OiJ3d3cyLnBucCI7czo1OiJfdHlwZSI7czo0OiJ0ZXh0IjtzOjg6Il9zdWJ0eXBlIjtpOjA7czo5OiJfY29udGVudHMiO3M6MDoiIjtzOjE3OiJfdHJhbnNmZXJFbmNvZGluZyI7czo0OiI3Yml0IjtzOjExOiJfZW5jb2RlN2JpdCI7YjoxO3M6MTI6Il9kZXNjcmlwdGlvbiI7czowOiIiO3M6MTI6Il9kaXNwb3NpdGlvbiI7czo2OiJpbmxpbmUiO3M6MjI6Il9kaXNwb3NpdGlvblBhcmFtZXRlcnMiO2E6MDp7fXM6MjI6Il9jb250ZW50VHlwZVBhcmFtZXRlcnMiO2k6MDtzOjY6Il9wYXJ0cyI7YTowOnt9czoxMjoiX2luZm9ybWF0aW9uIjtpOjA7czo2OiJfYnl0ZXMiO3M6MDoiIjtzOjU6Il9jaWRzIjthOjA6e31zOjc6Il9taW1laWQiO2k6MDtzOjQ6Il9lb2wiO3M6MToiCiI7czo2OiJfZmxhZ3MiO2k6MDtzOjY6Il9pZG1hcCI7YTowOnt9fXM6NDoiX2F0YyI7YTowOnt9czo2OiJfcGFydHMiO2E6MDp7fXM6ODoiX3N1bW1hcnkiO2E6MDp7fXM6MTU6Il9zZXNzaW9uQ2FjaGVJRCI7TjtzOjEyOiJfdmlld2VyQ2FjaGUiO2E6MDp7fXM6MTI6Il9kaXNwbGF5VHlwZSI7czo0OiJsaXN0IjtzOjg6Il9taW1la2V5IjtOO3M6NzoiX3ZpZXdJRCI7YToyOntzOjg6ImRvd25sb2FkIjtzOjQzOiJmYWlsZWQgdG8gZmx1c2ggYnVmZmVyLiBObyBidWZmZXIgdG8gZmx1c2guIjtzOjQ6InZpZXciO3M6MTE6InZpZXdfYXR0YWNoIjt9czo2OiJfbGlua3MiO2I6MTtzOjU6Il9iYXNlIjtOO30="));
$pluto->buildMessagePart($mime_part);
define('MIME_CONTENTS_CACHE', 'mimecache');
class MIME_Contents {
function MIME_Contents($messageOb, $viewID = array(), $contents =
array()) {}
function buildMessagePart(&$mime_part)
{
$msg = '';
// CRASH HERE
echo "<pre>" . addslashes(serialize($mime_part)) . "</pre>";
return $msg;
}
}
class IMP_Contents extends MIME_Contents {
function IMP_Contents($index) {}
}
?>
Actual result:
--------------
Bug #27469 zend_variables.c problem
Submitted: 2 Mar 6:00pm EST Modified: 3 Mar 4:32am EST
From: friosa at pnpitalia dot it
Status: Feedback Category: Zend Engine 2 problem
Version: 5.0.0b4 (beta4) OS: Linux 2.4.18-4GB
gdb ./httpd
(gdb) run -X
Starting program: /TEST/apache/bin/./httpd -X
[New Thread 1024 (LWP 17036)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 17036)]
0x4035080f in memcpy () from /lib/libc.so.6
(gdb) bt
#0 0x4035080f in memcpy () from /lib/libc.so.6
#1 0x405f8b0b in php_var_serialize_class_name (buf=0xbfffc4dc,
struc=0x16f1520) at /TEST/php5-200403022230/ext/standard/var.c:480
#2 0x40698d73 in zend_do_fcall_common_helper (execute_data=0xbfffc850,
opline=0xbfffc4d5, op_array=0xa) at
/TEST/php5-200403022230/Zend/zend_execute.c:2677
#3 0x406703b9 in zend_execute_scripts (type=1081403672,
retval=0x40d0d24c, file_count=516) at
/TEST/php5-200403022230/Zend/zend.c:1041
(gdb)
--
Edit bug report at http://bugs.php.net/?id=27484&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27484&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27484&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=27484&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=27484&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=27484&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=27484&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=27484&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=27484&r=support
Expected behavior: http://bugs.php.net/fix.php?id=27484&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=27484&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=27484&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=27484&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27484&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=27484&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=27484&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=27484&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27484&r=float
