Core dump from proof of concept example:
#0 0x000000000053b2b4 in var_push_dtor (var_hashx=0x0,
rval=0x80163b9f0)
at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/
var_unserializer.c:60
60 var_entries *var_hash = var_hashx->first_dtor, *prev =
NULL;
#0 0x000000000053b2b4 in var_push_dtor (var_hashx=0x0,
rval=0x80163b9f0)
at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/
var_unserializer.c:60
var_hash = (var_entries *) 0x80163c560
prev = (var_entries *) 0x77bc58
#1 0x000000000053e2bd in process_nested_data (rval=0x7fffffffc690,
p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0,
ht=0x80163c560, elements=0) at /usr/ports/lang/php5/work/php-5.3.6/
ext/standard/var_unserializer.c:292
key = (zval *) 0x80163c600
data = (zval *) 0x80163c678
old_data = (zval **) 0x80163b9f0
#2 0x000000000053de87 in object_common2 (rval=0x7fffffffc690,
p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, elements=1)
at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/
var_unserializer.c:363
retval_ptr = (zval *) 0x0
fname = {value = {lval = 0, dval = 0, str = {val = 0x0, len =
75584827}, ht = 0x0, obj = {handle = 0,
handlers = 0x481553b}}, refcount__gc = 0, type = 0 '\0',
is_ref__gc = 0 '\0'}
#3 0x000000000053c450 in php_var_unserialize (rval=0x7fffffffc690,
p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0)
at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/
var_unserializer.c:647
len3 = 7
user_func = (zval *) 0x5fd1a4
arg_func_name = (zval *) 0x98
pce = (zend_class_entry **) 0x80487e7f8
custom_object = 0
len = 7
len2 = 7
maxlen = 531
elements = 1
class_name = 0x80163ba80 "storage"
ce = (zend_class_entry *) 0x801631cd8
incomplete_class = 0
retval_ptr = (zval *) 0x7fffffffc5e0
args = {0x10}
yych = 34 '"'
cursor = (
const unsigned char *) 0x80481532f "\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object
\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:
3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:4;"...
limit = (
const unsigned char *) 0x804815323 "O:7:\"Storage\":1:{s:
7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Objec"...
marker = (
const unsigned char *) 0x804815324 ":7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object
\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object"...
start = (
const unsigned char *) 0x804815323 "O:7:\"Storage\":1:{s:
7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Objec"...
rval_ref = (zval **) 0x78
yybm = '\0' <repeats 48 times>,
"\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times>
#4 0x000000000053e156 in process_nested_data (rval=0x80163bef0,
p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0,
ht=0x80163c1f0, elements=9) at /usr/ports/lang/php5/work/php-5.3.6/
ext/standard/var_unserializer.c:275
key = (zval *) 0x80163c328
data = (zval *) 0x80163c478
old_data = (zval **) 0x77bc58
#5 0x000000000053c7c7 in php_var_unserialize (rval=0x80163bef0,
p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0)
at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/
var_unserializer.c:713
elements = 10
yych = 123 '{'
cursor = (
const unsigned char *) 0x80481531f "i:0;O:7:\"Storage\":1:{s:
7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"O"...
limit = (
const unsigned char *) 0x804815319 "a:10:{i:0;O:7:\"Storage\":1:{s:
7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";"...
marker = (
const unsigned char *) 0x80481531a ":10:{i:0;O:7:\"Storage\":1:{s:
7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O"...
start = (
---Type <return> to continue, or q <return> to quit---
const unsigned char *) 0x804815319 "a:10:{i:0;O:7:\"Storage\":1:{s:
7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";"...
rval_ref = (zval **) 0x78
yybm = '\0' <repeats 48 times>,
"\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times>
#6 0x000000000049dc43 in spl_array_unserialize_helper
(intern=0x80163bed8,
buf=0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object
\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"..., buf_len=552,
var_hash_p=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/
spl_array.c:1763
p = (
const unsigned char *) 0x804815353 "}i:1;O:7:\"Storage\":1:{s:
7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:4;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\""...
s = (
const unsigned char *) 0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage
\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:
7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"...
pmembers = (zval *) 0x72a008dc400
pflags = (zval *) 0x80163c328
flags = 0
#7 0x000000000049e084 in spl_array_unserialize
(object=0x7fffffffcbe8, ce=0x801632fc8,
buf=0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage
\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:
6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object
\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"..., buf_len=552,
data=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/
spl_array.c:1852
intern = (spl_array_object *) 0x80163bed8
#8 0x0000000803ef1d58 in igbinary_unserialize_object_ser
(igsd=0x7fffffffcb20, t=igbinary_type_object_ser16, z=0x7fffffffcbe8,
ce=0x801632fc8) at /usr/ports/converters/igbinary/work/
igbinary-1.1.1/igbinary.c:1757
n = 552
#9 0x0000000803ef1a07 in igbinary_unserialize_object
(igsd=0x7fffffffcb20, t=igbinary_type_object_ser16, z=0x7fffffffcbe8)
at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:
1884
ce = (zend_class_entry *) 0x801632fc8
pce = (zend_class_entry **) 0x804880a78
h = (zval *) 0x0
f = {value = {lval = 140737488341576, dval =
6.9533558071555652e-310, str = {val = 0x7fffffffca48 "(»c\001\b",
len = -13776}, ht = 0x7fffffffca48, obj = {handle = 4294953544,
handlers = 0x7fffffffca30}}, refcount__gc = 4294953648,
type = 0 '\0', is_ref__gc = 0 '\0'}
name = 0x804815306 "Collection\036\002(x:i:0;a:10:{i:0;O:
7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage
\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:
7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage"...
name_len = 10
r = 45
incomplete_class = false
user_func = (zval *) 0x98
retval_ptr = (zval *) 0x80163ba90
args = {0x80160a300}
arg_func_name = (zval *) 0x40
#10 0x0000000803ef0e7a in igbinary_unserialize_zval
(igsd=0x7fffffffcb20, z=0x7fffffffcbe8)
at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:
1999
t = igbinary_type_object8
tmp_long = 140737488341744
tmp_double = 6.9533558071662371e-310
tmp_chararray = 0x803ef4278 "/usr/ports/converters/igbinary/
work/igbinary-1.1.1/igbinary.c"
tmp_size_t = 5450313498624
#11 0x0000000803eee705 in igbinary_unserialize (buf=0x804815300 "",
buf_len=571, z=0x7fffffffcbe8)
at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:
363
igsd = {buffer = 0x804815300 "", buffer_size = 571,
buffer_offset = 19, strings = 0x80163bae0, strings_count = 1,
strings_capacity = 4, references = 0x80163b6f8, references_count =
1, references_capacity = 4, error = 0, string0_buf = {
c = 0x0, len = 0, a = 0}}
#12 0x000000080423f3f8 in php_memc_zval_from_payload
(value=0x801631630, payload=0x804815300 "", payload_len=571, flags=5,
serializer=SERIALIZER_IGBINARY) at /root/php-memcached/
php_memcached.c:2719
payload_emalloc = 0 '\0'
buffer = 0x0
#13 0x0000000804238381 in php_memc_get_impl (ht=1,
return_value=0x801631630, return_value_ptr=0x0, this_ptr=0x80162e600,
return_value_used=1, by_key=0 '\0') at /root/php-memcached/
php_memcached.c:625
rc = 0
return_value_set = 0 '\0'
key = 0x80163b810 "foobar"
key_len = 6
server_key = 0x0
server_key_len = 0
payload = 0x804815300 ""
payload_len = 571
---Type <return> to continue, or q <return> to quit---
flags = 5
cas = 0
keys = {0x80163b810 "foobar"}
key_lens = {6}
cas_token = (zval *) 0x0
fci = {size = 0, function_table = 0x0, function_name = 0x0,
symbol_table = 0x0, retval_ptr_ptr = 0x0, param_count = 0,
params = 0x0, object_ptr = 0x0, no_separation = 0 '\0'}
fcc = {initialized = 0 '\0', function_handler = 0x0,
calling_scope = 0x0, called_scope = 0x0, object_ptr = 0x0}
result = {item_flags = 4294954352, item_expiration = 16,
key_length = 140737488342384, item_cas = 6268759,
root = 0x80163ba90, value = {end = 0x80160a300 "\001", string =
0x1a520 <Address 0x1a520 out of bounds>, current_size = 16,
root = 0x80160aa18, options = {is_allocated = true, is_initialized
= false}},
item_key = "Ⱥc\001\b\000\000\000\001\000\000\000Üø\022sð\217y
\000\000\000\000\000\000\020#\004»\001\000\000h~y
\000\000\000\000\000\220Õ_\000\001\000\000\000\020¸c\001\b
\000\000\000\000£`\001\b\000\000\000À·c\001\b", '\0' <repeats 15
times>, "\001\000\000\000Ž_\000\000\000\000\000p½c\001\b
\000\000\000\001\000\000\000Üø\022sh~y\000\000\000\000\000°¿c\001>
\001\000\000ÐÐy\000\000\000\000\000`\205\210\004\001\000\000\0000\026c
\001\b\000\000\000Ž_\000\000\000\000\000à\025c\001\b
\000\000\000\001\000\000\000Üø\022sh~y\000\000\000\000\000JÊ_
\000\000\000\000\000\220Ðy\000\000\000\000\000`\000\000\000\000"...,
options = {is_allocated = false,
is_initialized = false}}
status = MEMCACHED_SUCCESS
object = (zval *) 0x80162e600
i_obj = (php_memc_t *) 0x801634410
m_obj = (struct memc_obj *) 0x801638070
#14 0x0000000804237c0b in zim_Memcached_get (ht=1,
return_value=0x801631630, return_value_ptr=0x0, this_ptr=0x80162e600,
return_value_used=1) at /root/php-memcached/php_memcached.c:465
No locals.
#15 0x000000000065ba1c in zend_do_fcall_common_helper_SPEC
(execute_data=0x804888080) at zend_vm_execute.h:316
opline = (zend_op *) 0x801630ce0
should_change_scope = 1 '\001'
#16 0x000000000065c9c5 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x804888080) at zend_vm_execute.h:421
No locals.
#17 0x000000000065a9ea in execute (op_array=0x801634540) at
zend_vm_execute.h:107
ret = 0
execute_data = (zend_execute_data *) 0x804888080
nested = 1 '\001'
original_in_execution = 0 '\0'
#18 0x000000000062745d in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend.c:1194
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fffffffd270, reg_save_area = 0x7fffffffd1b0}}
i = 1
file_handle = (zend_file_handle *) 0x7fffffffea20
orig_op_array = (zend_op_array *) 0x0
orig_retval_ptr_ptr = (zval **) 0x0
#19 0x00000000005a7712 in php_execute_script
(primary_file=0x7fffffffea20) at /usr/ports/lang/php5/work/php-5.3.6/
main/main.c:2268
realfile = "/www/ch9/test.php\000\000\000\002\000\000\000pïb
\001\b\000\000\000pïb\001\b
\000\000\000\002\000\000\000\001\000\000\000`ðb\001\b\000\000\000\200Û
\215\000\003\000\000\000@ãÿÿÿ\177\000\000\177®c\000\000\000\000\000pïb
\001\b\000\000\000\020\000\000\000\002\000\000\000pïb\001\b", '\0'
<repeats 11 times>, "8\230x\000\000\000\000\000ð
\000\000\000\003\000\000\000ðãÿÿÿ\177\000\000d\032\\
\000\000\000\000\000 ª`\001\000\000\000\000\026", '\0' <repeats 15
times>, "\230x\002\000\000\000\000\000pïb\001\b\000\000\000pïb\001\b
\000\000\000p\233w\000\000\000\000\000 ïb\001d\001"...
__orig_bailout = (sigjmp_buf *) 0x7fffffffe980
__bailout = {{_sjb = {5928021, 2, 140737488343656,
140737488349280, 140737488350208, 140737488350184, 0, 0, 34382807679,
6365355, 140737488349008, 0}}}
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = (zend_file_handle *) 0x0
prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0,
buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0,
fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0,
buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0,
fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
old_cwd = 0x7fffffffd290 ""
use_heap = 0 '\0'
retval = 0
#20 0x000000000071b74a in main (argc=2, argv=0x7fffffffebe8) at /usr/
ports/lang/php5/work/php-5.3.6/sapi/cli/php_cli.c:1193
__orig_bailout = (sigjmp_buf *) 0x0
__bailout = {{_sjb = {7449865, 2, 140737488349288,
140737488350096, 140737488350208, 140737488350184, 0, 0, 34368979839,
34369030656, 34369031168, 34359738368}}}
exit_status = 0
c = -1
file_handle = {type = ZEND_HANDLE_MAPPED, filename =
0x7fffffffee2c "test.php", opened_path = 0x0, handle = {
fd = 23262976, fp = 0x80162f700, stream = {handle = 0x80162f700,
isatty = 0, mmap = {len = 1060, pos = 0, map = 0x8008f4000,
buf = 0x8008f4000 <Address 0x8008f4000 out of bounds>,
old_handle = 0x801505c20,
old_closer = 0x643b30 <zend_stream_stdio_closer>}, reader =
0x643b00 <zend_stream_stdio_reader>,
---Type <return> to continue, or q <return> to quit---
fsizer = 0x643b70 <zend_stream_stdio_fsizer>, closer = 0x643cd0
<zend_stream_mmap_closer>}}, free_filename = 0 '\0'}
behavior = 1
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0x7fffffffee2c "test.php"
arg_excp = (char **) 0x7fffffffebf0
script_file = 0x7fffffffee2c "test.php"
interactive = 0
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = 0x0
hide_argv = 0
ini_entries_len = 110