Skip to content
This repository has been archived by the owner on Oct 14, 2023. It is now read-only.

Failed test with PHP 7.x : unserializing random byte strings #24

Open
remicollet opened this issue Jul 25, 2016 · 2 comments
Open

Failed test with PHP 7.x : unserializing random byte strings #24

remicollet opened this issue Jul 25, 2016 · 2 comments

Comments

@remicollet
Copy link
Contributor

With PHP 7.1.0beta1

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
b0rked random data test [tests/igbinary_040.phpt]
=====================================================================

$ cat tests/igbinary_040.out
000000020a4284d884
int(1116002436)
@TysonAndre
Copy link
Member

TysonAndre commented Jul 25, 2016

I'm aware of this issue. It affects all php7 versions. The test attempts to unserialize randomly generated byte stream of various lengths, and fails spuriously because the seed isn't constant.

There's probably some error handling code, cleanup, etc. that needs to be done differently in php7.

I'll investigate this when I have time.

Feel free to post minimal examples of random byte streams which crash igbinary_unserialize call(s)

@TysonAndre TysonAndre changed the title Failed test with PHP 7.1.x Failed test with PHP 7.x : unserializing random byte strings Jul 25, 2016
@TysonAndre
Copy link
Member

TysonAndre commented Jul 27, 2016

With debugging enabled, this fails. I assume that it would also fail for a cyclic object with garbage data or an exception thrown in a custom unserialize(). I probably need to increment the refcount of the top level array/object node before unserializing it, then, if successful, decrement the refcount of the top level array/object without calling the destructor

There's other bugs as well (e.g. corrupt data with duplicate keys)

//  14 02 (REF0) (Array of length 2)
//    11 03 6b656b  string(3) "kek" =>
//      0100 (copy of REF0, possibly should be forbidden if REF0 is a parent and non-references are between them)
//    6c (unknown key type)
$serialized = "\x00\x00\x00\x02\x14\x02\x11\x03\x6b\x65\x6b\x01\x00\x6c";

$x = igbinary_unserialize($serialized);

This fails a zend assertion in the garbage collector, because it had a refcount of one (From adding itself to an array), but was destroyed twice.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants