#1 PHP notice output during unserialization of Math_BigInteger

closed
nobody
None
5
2010-03-22
2010-03-22
Brion Vibber
No

Tested with current CVS (version 1.31 of Math/BigInteger.php).

If a Math_BigInteger with value 0 is serialized, the hex representation saved from __sleep() is empty. When this is fed back into the constructor by __wakeup() at unserialize time, we end up at some point getting a notice output trying to access the first character in the string.

Since Crypt_RSA objects store a bigint 0 value, this hits anything that serializes Crypt_RSA objects.

Example code:

<?php

error_reporting(E_ALL);
ini_set('display_errors', 1);

require "Math/BigInteger.php";

$zero = new Math_BigInteger();
print "Original: " . $zero->toString() . "\n";

$ser = serialize($zero);
print "Serialized: $ser\n";

$zero2 = unserialize($ser);
print "Unserialized: " . $zero2->toString() . "\n";

Expected output:
$ php demo.php
Original: 0
Serialized: O:15:"Math_BigInteger":1:{s:3:"hex";s:0:"";}
Unserialized: 0

Actual output:
$ php demo.php
Original: 0
Serialized: O:15:"Math_BigInteger":1:{s:3:"hex";s:0:"";}

Notice: Uninitialized string offset: 0 in /home/brion/src/bigint/phpseclib/Math/BigInteger.php on line 354
Unserialized: 0

Patch attached, avoids using the empty string when waking.

Discussion

  • Brion Vibber
    Brion Vibber
    2010-03-22

     
    Attachments
  • Jim Wigginton
    Jim Wigginton
    2010-03-22

    I've chosen a simpler fix (replacing "=== 0" with "empty()") that resolves a few extra issues, as well. ie. "new Math_BigInteger('', -256)', etc.

    Thanks for reporting the issue!

     
  • Jim Wigginton
    Jim Wigginton
    2010-03-22

    • status: open --> closed