Skip to content

Fix shm corruption with coercion in options of unserialize() #20129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: PHP-8.3
Choose a base branch
from
Open

Fix shm corruption with coercion in options of unserialize() #20129

wants to merge 2 commits into from
+13 −4

Conversation

nielsdos
Copy link
Member

No description provided.

@nielsdos nielsdos requested a review from bukka as a code owner October 10, 2025 21:23
Girgias
Girgias reviewed Oct 11, 2025
View reviewed changes
ext/standard/tests/serialize/shm_corruption_coercion_unserialize_options.phpt
Shm corruption with coercion in options of unserialize()
--FILE--
<?php
unserialize("{}", ["allowed_classes" => [0]]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if you have a non-stringable object as an option?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That will work

Copy link
Member Author

@nielsdos nielsdos Oct 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the sense that it will throw and exit out at the check after the loop

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool that's the thing I was wondering about.

ext/standard/var.c
convert_to_string(entry);
lcname = zend_string_tolower(Z_STR_P(entry));
/* Note: cannot use zval_get_tmp_string() here as we need to keep it in class_hash for longer than this loop. */
zend_string *str = zval_get_string(entry);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason for not using the try version of this API?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possible, but not necessary, as we will exit at the exception check a bit later.

@nielsdos nielsdos requested a review from iluuu1994 October 13, 2025 06:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Girgias Girgias Girgias left review comments

@bukka bukka Awaiting requested review from bukka bukka is a code owner

@iluuu1994 iluuu1994 Awaiting requested review from iluuu1994

Assignees

No one assigned

Labels

Extension: standard

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nielsdos @Girgias