From: mattr at shoplet dot com
Operating system: FreeBSD 6.2
PHP version: 5.2.5
PHP Bug Type: MySQLi related
Bug description: canary mismatch on efree() - heap overflow detected
Description:
------------
The execution of the attached script halts unexpectedly with "ALERT -
canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR
not set', file '../library/Zend/Db/Statement/Mysqli.php', line 113)" in the
apache error log.
PHP Info:
-----------------------
PHP Version => 5.2.5
System => FreeBSD localhost 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12
11:05:30 UTC 2007 [EMAIL PROTECTED]
alo.edu:/usr/obj/usr/src/sys/SMP i386
Configure Command => './configure' '--with-layout=GNU'
'--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--e
nable-libxml' '--with-libxml-dir=/usr/local' '--enable-reflection'
'--program-prefix=' '--enable-fastcgi' '--with-apxs=/usr/lo
cal/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--enable-debug'
'--enable-zend-multibyte' '--prefix=/usr/local' '--ma
ndir=/usr/local/man' '--infodir=/usr/local/info/'
PHP API => 20041225
PHP Extension => 20060613
Zend Extension => 220060519
Debug Build => yes
Thread Safety => disabled
Zend Memory Manager => enabled
IPv6 Support => enabled
This server is protected with the Suhosin Patch 0.9.6.2
Copyright (c) 2006 Hardened-PHP Project
-----------------------
Script fails on another machine running Debian 4 in the same reproducible
manner with and without the Suhosin patch.
Reproduce code:
---------------
#!/usr/local/bin/php
<?php
set_include_path('../library/'. PATH_SEPARATOR . '../application/lib/' .
PATH_SEPARATOR . get_include_path());
require_once('Zend/Db.php');
// Zend Db classes can be found here: http://framework.zend.com
// Can attach to the ticket later if needed.
date_default_timezone_set('America/New_York');
$db =
Zend_Db::factory('mysqli',Array('host'=>'localhost','username'=>'','password'=>'','dbname'=>'eproc'));
$order_num = 1208212550;
$sql = $db->quoteInto("SELECT * FROM `eproc`.`Orders` WHERE `order_num`=?
LIMIT 1",$order_num);
$q = $db->fetchAll($sql);
$batch_status = $db->fetchOne("SELECT `to_po` FROM `eproc2`.`batch_status`
WHERE `status`='done' ORDER BY `to_po` DESC LIMIT 1");
$items = $db->fetchAll("SELECT * FROM `eproc`.`Order_Item` WHERE
`order_num`='{$order_num}' ORDER BY `line_num` ASC");
$notes = $db->fetchAll("SELECT * FROM `eproc`.`notes` WHERE
`order_num`='{$order_num}' ORDER BY `sticky` DESC, `date_modified` ASC");
$emails = $db->fetchAll("SELECT
`message_id`,`from_email`,`to_email`,`subject`,`date_received` FROM
`email_store`.`email` WHERE `order_num`='{$order_num}' ORDER BY
`date_received` ASC");
$attachments = $db->fetchAll("SELECT * FROM `files`.`order_attachments`
WHERE `order_num`='{$order_num}' ORDER BY `timestampAdded` ASC");
print_r($q);
print_r($order_id);
print_r($batch_status);
print_r($items);
print_r($notes);
print_r($emails);
print_r($attachments);
Expected result:
----------------
Several Arrays of database results
Actual result:
--------------
Execution:
[Wed Apr 30 12:45:01 2008] Script: './index.php'
---------------------------------------
/usr/ports/lang/php5/work/php-5.2.5/Zend/zend_opcode.c(238) : Block
0x0828d0e0 status:
Invalid pointer: ((prev=0x00000045) != (prev.size=0x00000000))
---------------------------------------
[Wed Apr 30 12:45:01 2008] Script: './index.php'
---------------------------------------
/usr/ports/lang/php5/work/php-5.2.5/Zend/zend_variables.h(35) : Block
0x0828d09c status:
/usr/ports/lang/php5/work/php-5.2.5/Zend/zend_variables.c(36) : Actual
location (location was relayed)
Invalid pointer: ((size=0x00000000) != (next.prev=0x0000003d))
---------------------------------------
[Wed Apr 30 12:45:01 2008] Script: './index.php'
/usr/ports/databases/php5-mysqli/work/php-5.2.5/ext/mysqli/mysqli_api.c(362)
: Freeing 0x0828D060 (0 bytes), script=./index.php
zend_mm_heap corrupted
Segmentation fault (core dumped)
Backtrace:
#0 0x28583ecb in kill () from /lib/libc.so.6
#1 0x08150f51 in zend_mm_panic (message=0x8252700 "zend_mm_heap
corrupted")
at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:94
#2 0x08151ef5 in zend_mm_find_leaks (segment=0x827e000, b=0x828d02c)
at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1223
#3 0x08152070 in zend_mm_check_leaks (heap=0x827d400) at
/usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1277
#4 0x08152aaf in zend_mm_shutdown (heap=0x827d400, full_shutdown=0,
silent=0)
at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1632
#5 0x08154a76 in shutdown_memory_manager (silent=0, full_shutdown=0)
at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:2553
#6 0x0812479b in php_request_shutdown (dummy=0x0) at
/usr/ports/lang/php5/work/php-5.2.5/main/main.c:1510
#7 0x081d7677 in main (argc=2, argv=0xbfbfeca0) at
/usr/ports/lang/php5/work/php-5.2.5/sapi/cli/php_cli.c:1327
--
Edit bug report at http://bugs.php.net/?id=44872&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=44872&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=44872&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=44872&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=44872&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=44872&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=44872&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=44872&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=44872&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=44872&r=support
Expected behavior: http://bugs.php.net/fix.php?id=44872&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=44872&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=44872&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=44872&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44872&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=44872&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=44872&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=44872&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=44872&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=44872&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=44872&r=mysqlcfg
