From: [EMAIL PROTECTED]
Operating system: Windows 2000
PHP version: 4.2.1
PHP Bug Type: MSSQL related
Bug description: mssql extension crashes if magic_quotes_runtime is on
I've found a bug in the mssql extension: If magic_quotes_runtime is set
every mssql_fetch_* produces a crash of php due to double freed memory.
The problem itself is produced in the following code:
if (PG(magic_quotes_runtime)) {
data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]),
Z_STRLEN(result->data[result->cur_row][i]),
&Z_STRLEN(result->data[result->cur_row][i]), 1 TSRMLS_CC);
there the string stored in the zval gets freed without destroying the zval
itself, so later if the destructor of the the zval gets called (in
_free_result) the data is already freed and php crashes with a memory
exception.
to (quick)fix this just change the function call to
data = php_addslashes(Z_STRVAL(result->data[result->cur_row][i]),
Z_STRLEN(result->data[result->cur_row][i]), &data_len, 0 TSRMLS_CC);
the data_len is there since the length of the passed string doesn't change
and if it gets changed by php_addslashes we will get warnings of not 0
terminated strings sometimes. and the last parameter was changed to 0 so
php_addslashes doesn't free the memory.
regards
Dominik del Bondio
--
Edit bug report at http://bugs.php.net/?id=17497&edit=1
--
Fixed in CVS: http://bugs.php.net/fix.php?id=17497&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=17497&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=17497&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=17497&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=17497&r=support
Expected behavior: http://bugs.php.net/fix.php?id=17497&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=17497&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=17497&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=17497&r=globals
