ID: 44872 Comment by: mike at gmi dot co dot nz Reported By: mattr at shoplet dot com Status: No Feedback Bug Type: MySQLi related Operating System: FreeBSD 6.2 PHP Version: 5.2.5 New Comment:
Experiencing the same thing with an MSSQL query (mssql_query()) on Debian and using PHP 5.2.6-2 with Suhosin-Patch 0.9.6.2 (cli) (built: Jul 3 2008 07:52:34) Previous Comments: ------------------------------------------------------------------------ [2008-05-10 01:00:00] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". ------------------------------------------------------------------------ [2008-05-02 11:20:09] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.3-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.3-win32-installer-latest.msi ------------------------------------------------------------------------ [2008-04-30 17:19:34] mattr at shoplet dot com Description: ------------ The execution of the attached script halts unexpectedly with "ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file '../library/Zend/Db/Statement/Mysqli.php', line 113)" in the apache error log. PHP Info: ----------------------- PHP Version => 5.2.5 System => FreeBSD localhost 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007 [EMAIL PROTECTED] alo.edu:/usr/obj/usr/src/sys/SMP i386 Configure Command => './configure' '--with-layout=GNU' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--e nable-libxml' '--with-libxml-dir=/usr/local' '--enable-reflection' '--program-prefix=' '--enable-fastcgi' '--with-apxs=/usr/lo cal/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--enable-debug' '--enable-zend-multibyte' '--prefix=/usr/local' '--ma ndir=/usr/local/man' '--infodir=/usr/local/info/' PHP API => 20041225 PHP Extension => 20060613 Zend Extension => 220060519 Debug Build => yes Thread Safety => disabled Zend Memory Manager => enabled IPv6 Support => enabled This server is protected with the Suhosin Patch 0.9.6.2 Copyright (c) 2006 Hardened-PHP Project ----------------------- Script fails on another machine running Debian 4 in the same reproducible manner with and without the Suhosin patch. Reproduce code: --------------- #!/usr/local/bin/php <?php set_include_path('../library/'. PATH_SEPARATOR . '../application/lib/' . PATH_SEPARATOR . get_include_path()); require_once('Zend/Db.php'); // Zend Db classes can be found here: http://framework.zend.com // Can attach to the ticket later if needed. date_default_timezone_set('America/New_York'); $db = Zend_Db::factory('mysqli',Array('host'=>'localhost','username'=>'','password'=>'','dbname'=>'eproc')); $order_num = 1208212550; $sql = $db->quoteInto("SELECT * FROM `eproc`.`Orders` WHERE `order_num`=? LIMIT 1",$order_num); $q = $db->fetchAll($sql); $batch_status = $db->fetchOne("SELECT `to_po` FROM `eproc2`.`batch_status` WHERE `status`='done' ORDER BY `to_po` DESC LIMIT 1"); $items = $db->fetchAll("SELECT * FROM `eproc`.`Order_Item` WHERE `order_num`='{$order_num}' ORDER BY `line_num` ASC"); $notes = $db->fetchAll("SELECT * FROM `eproc`.`notes` WHERE `order_num`='{$order_num}' ORDER BY `sticky` DESC, `date_modified` ASC"); $emails = $db->fetchAll("SELECT `message_id`,`from_email`,`to_email`,`subject`,`date_received` FROM `email_store`.`email` WHERE `order_num`='{$order_num}' ORDER BY `date_received` ASC"); $attachments = $db->fetchAll("SELECT * FROM `files`.`order_attachments` WHERE `order_num`='{$order_num}' ORDER BY `timestampAdded` ASC"); print_r($q); print_r($order_id); print_r($batch_status); print_r($items); print_r($notes); print_r($emails); print_r($attachments); Expected result: ---------------- Several Arrays of database results Actual result: -------------- Execution: [Wed Apr 30 12:45:01 2008] Script: './index.php' --------------------------------------- /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_opcode.c(238) : Block 0x0828d0e0 status: Invalid pointer: ((prev=0x00000045) != (prev.size=0x00000000)) --------------------------------------- [Wed Apr 30 12:45:01 2008] Script: './index.php' --------------------------------------- /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_variables.h(35) : Block 0x0828d09c status: /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_variables.c(36) : Actual location (location was relayed) Invalid pointer: ((size=0x00000000) != (next.prev=0x0000003d)) --------------------------------------- [Wed Apr 30 12:45:01 2008] Script: './index.php' /usr/ports/databases/php5-mysqli/work/php-5.2.5/ext/mysqli/mysqli_api.c(362) : Freeing 0x0828D060 (0 bytes), script=./index.php zend_mm_heap corrupted Segmentation fault (core dumped) Backtrace: #0 0x28583ecb in kill () from /lib/libc.so.6 #1 0x08150f51 in zend_mm_panic (message=0x8252700 "zend_mm_heap corrupted") at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:94 #2 0x08151ef5 in zend_mm_find_leaks (segment=0x827e000, b=0x828d02c) at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1223 #3 0x08152070 in zend_mm_check_leaks (heap=0x827d400) at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1277 #4 0x08152aaf in zend_mm_shutdown (heap=0x827d400, full_shutdown=0, silent=0) at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1632 #5 0x08154a76 in shutdown_memory_manager (silent=0, full_shutdown=0) at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:2553 #6 0x0812479b in php_request_shutdown (dummy=0x0) at /usr/ports/lang/php5/work/php-5.2.5/main/main.c:1510 #7 0x081d7677 in main (argc=2, argv=0xbfbfeca0) at /usr/ports/lang/php5/work/php-5.2.5/sapi/cli/php_cli.c:1327 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=44872&edit=1