Skip to content

Fix GH-22046: The unserialize function with Uri\WhatWg\Url leads to NULL pointer dereference when object serialized back#22058

Open
kocsismate wants to merge 2 commits into
php:masterfrom
kocsismate:gh22046-fix
Open

Fix GH-22046: The unserialize function with Uri\WhatWg\Url leads to NULL pointer dereference when object serialized back#22058
kocsismate wants to merge 2 commits into
php:masterfrom
kocsismate:gh22046-fix

Conversation

@kocsismate
Copy link
Copy Markdown
Member

@kocsismate kocsismate commented May 15, 2026
edited
Loading

Unserializing from the "C" format is explicitly disabled.

@kocsismate kocsismate requested a review from TimWolla as a code owner May 15, 2026 21:32
@kocsismate kocsismate changed the base branch from master to PHP-8.5 May 15, 2026 21:32
TimWolla
TimWolla reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@TimWolla TimWolla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in the issue, this should get a general fix. But the patch LGTM if we decide for some reason not to fix this generally.

iluuu1994
iluuu1994 reviewed May 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@iluuu1994 iluuu1994 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, fuzzing-style issues (things that are effectively impossible to happen by accident) should be fixed on master, assuming they don't pose a security risk (which this does not).

Comment thread ext/standard/var_unserializer.re Outdated
Comment thread ext/standard/var_unserializer.re Outdated
@kocsismate
Copy link
Copy Markdown
Member Author

kocsismate commented Jun 1, 2026

MO, fuzzing-style issues (things that are effectively impossible to happen by accident) should be fixed on master, assuming they don't pose a security risk (which this does not).

Yes, I think you are right! So I changed the target branch to master.

TimWolla
TimWolla approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@TimWolla TimWolla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR should be retitled to indicate that it's not a fix that is specific to ext/uri. UPGRADING and NEWS should be added. But the change itself LGTM.

TimWolla
TimWolla reviewed Jun 3, 2026
View reviewed changes
Comment thread ext/standard/var_unserializer.re
Comment on lines -772 to +773
zend_error(E_WARNING, "Class %s has no unserializer", ZSTR_VAL(ce->name));
object_init_ex(rval, ce);
zend_throw_exception_ex(NULL, 0, "Class %s has no unserializer", ZSTR_VAL(ce->name));
return 0;
Copy link
Copy Markdown
Member

@TimWolla TimWolla Jun 3, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a second thought: Just E_WARNING + return 0; should be sufficient here. The error handling in unserialize() is pretty broken, but the return 0; should keep unserialize(…) === false from working, whereas an exception might not.

See also: https://wiki.php.net/rfc/improve_unserialize_error_handling

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TimWolla TimWolla TimWolla approved these changes

@iluuu1994 iluuu1994 iluuu1994 left review comments

@Girgias Girgias Awaiting requested review from Girgias

@iliaal iliaal Awaiting requested review from iliaal

@ndossche ndossche Awaiting requested review from ndossche

Assignees

No one assigned

Labels

Extension: standard Extension: uri

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kocsismate @TimWolla @iluuu1994