ZF-8015: AMF0 Deserializer Reference Handling Improper


The AMF0 deserializer adds objects to the reference array after they've been completely deserialized, which means that ALL nested objects fail to deserialize in AMF0 mode.

For example: var a:Object = {test: 'asdf'} var b:Array = [a, a];

When serialized, the ref index should be 1, for "a", however, when Zend AMF deserializes this, the reference array will only have one item in it when it reaches the reference to a, so it will crash.


Is this still an issue? Should it be fixed for v1.12?

Looks like it still is an issue in 1.11.11. By adding the object to the reference cache after the contents have been read, any reference's offsets are incorrect, and it makes it impossible to deserialize circular references.

    public function readObject($object = null)
        if ($object === null) {
            $object = array();

        while (true) {
            $key        = $this->_stream->readUTF();
            $typeMarker = $this->_stream->readByte();
            if ($typeMarker != Zend_Amf_Constants::AMF0_OBJECTTERM ){
                //Recursivly call readTypeMarker to get the types of properties in the object
                $object[$key] = $this->readTypeMarker($typeMarker);
            } else {
                //encountered AMF object terminator
        $this->_reference[] = $object; // ***** THIS LINE SHOULD COME BEFORE ANY READING *****
        return (object) $object;

The AMF0 deserializer has several other issues with how it handles references for data structures, so it may not be worth fixing if no one has cared enough to fix it before.