From: [EMAIL PROTECTED] Operating system: Windows 2000 PHP version: 4.2.1 PHP Bug Type: MSSQL related Bug description: mssql extension crashes if magic_quotes_runtime is on
I've found a bug in the mssql extension: If magic_quotes_runtime is set every mssql_fetch_* produces a crash of php due to double freed memory. The problem itself is produced in the following code: if (PG(magic_quotes_runtime)) { data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]), Z_STRLEN(result->data[result->cur_row][i]), &Z_STRLEN(result->data[result->cur_row][i]), 1 TSRMLS_CC); there the string stored in the zval gets freed without destroying the zval itself, so later if the destructor of the the zval gets called (in _free_result) the data is already freed and php crashes with a memory exception. to (quick)fix this just change the function call to data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]), Z_STRLEN(result->data[result->cur_row][i]), &data_len, 0 TSRMLS_CC); the data_len is there since the length of the passed string doesn't change and if it gets changed by php_addslashes we will get warnings of not 0 terminated strings sometimes. and the last parameter was changed to 0 so php_addslashes doesn't free the memory. regards Dominik del Bondio -- Edit bug report at http://bugs.php.net/?id=17497&edit=1 -- Fixed in CVS: http://bugs.php.net/fix.php?id=17497&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=17497&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=17497&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=17497&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=17497&r=support Expected behavior: http://bugs.php.net/fix.php?id=17497&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=17497&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=17497&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=17497&r=globals