Skip to content

stack overflow when var serialization in ext/standard/var #15169

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
stack overflow when var serialization in ext/standard/var#15169
Labels
BugExtension: standardStatus: Needs TriageStatus: Verified
@YuanchengJiang

Description

@YuanchengJiang
YuanchengJiang
opened on Jul 30, 2024

Description

The following code:

<?php
function var_fusion($var1, $var2, $var3) {
$vars = [$var1, $var2, $var3];
foreach ($vars as $i => $v1) {
foreach ($vars as $j => $v2) {
if ($i < $j) {
try {
$result["serialize_{$j}"] = serialize($v2);
} catch (Exception $e) {
}
}
}
}
}
class Node
{
public $next;
}
$firstNode = new Node();
$circularDoublyLinkedList = $firstNode;
for ($i = 0; $i < 200000; $i++) {
$currentNode = $circularDoublyLinkedList;
$nextNode = $circularDoublyLinkedList->next;
$newNode = new Node();
$currentNode->next = $newNode;
$newNode->next = $nextNode;
}
$script2_connect=$circularDoublyLinkedList;
var_fusion($script1_connect, $script2_connect, $random_var);

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1985328==ERROR: AddressSanitizer: stack-overflow on address 0x7fff2a15be80 (pc 0x55974e0c4609 bp 0x7fff2a15cf10 sp 0x7fff2a15be80 T0)
    #0 0x55974e0c4609 in php_var_serialize_intern /WorkSpace/php-src/ext/standard/var.c:983
    #1 0x55974e0ca7ee in php_var_serialize_intern /WorkSpace/php-src/ext/standard/var.c:1249:8
    ...
    #246 0x55974e0ca7ee in php_var_serialize_intern /WorkSpace/php-src/ext/standard/var.c:1249:8

SUMMARY: AddressSanitizer: stack-overflow /WorkSpace/php-src/ext/standard/var.c:983 in php_var_serialize_intern

Valgrind:

==797883== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==797883== 
==797883== Process terminating with default action of signal 11 (SIGSEGV)
==797883==  Access not within mapped region at address 0x1FFE801D28
==797883== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==797883==    at 0x710C2E: php_var_serialize_intern (var.c:983)
==797883==  If you believe this happened as a result of a stack
==797883==  overflow in your program's main thread (unlikely but
==797883==  possible), you can try to increase the size of the
==797883==  main thread stack using the --main-stacksize= flag.
==797883==  The main thread stack size used in this run was 8388608.
==797883== Stack overflow in thread #1: can't grow stack to 0x1ffe801000

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

Metadata

Assignees

No one assigned

    Labels

    BugExtension: standardStatus: Needs TriageStatus: Verified

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions