#45941 [NEW]: mysqli_stmt_fetch() crashes

[EMAIL PROTECTED] Thu, 28 Aug 2008 02:43:09 -0700

From:             [EMAIL PROTECTED]
Operating system: Linux 64bit
PHP version:      5.3CVS-2008-08-28 (CVS)
PHP Bug Type:     MySQLi related
Bug description:  mysqli_stmt_fetch() crashes


Description:
------------
ext/mysqli/tests/mysqli_stmt_bind_result.phpt crashes.
The invalid write and the crash it causes are reproducible both in ZTS and
non-ZTS modes.

#  mysql --version
mysql  Ver 14.12 Distrib 5.0.26, for suse-linux-gnu (x86_64) using
readline 5.1

Using ./configure --with-mysqli seems to be enough (i.e. no mysqlnd used).

Reproduce code:
---------------
See ext/mysqli/tests/mysqli_stmt_bind_result.phpt

Actual result:
--------------
GDB bt:

Program terminated with signal 11, Segmentation fault.
#0  0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1,
return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1,
    tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842
842                             if (Z_TYPE_P(stmt->result.vars[i]) ==
IS_STRING) {
(gdb) bt
#0  0x00000000006e2027 in mysqli_stmt_fetch_libmysql (ht=1,
return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1,
    tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:842
#1  0x00000000006e2aaa in zif_mysqli_stmt_fetch (ht=1,
return_value=0x1be4e80, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1, tsrm_ls=0x18940c0)
    at /local/qa/5_3.gcov/ext/mysqli/mysqli_api.c:984
#2  0x0000000000d3e3ca in zend_do_fcall_common_helper_SPEC
(execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0)
    at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:315
#3  0x0000000000d48039 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x2b7bf7ab3970, tsrm_ls=0x18940c0)
    at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:1574
#4  0x0000000000d3c7ef in execute (op_array=0x1bf0240, tsrm_ls=0x18940c0)
at /local/qa/5_3.gcov/Zend/zend_vm_execute.h:104
#5  0x0000000000ce945f in zend_execute_scripts (type=8, tsrm_ls=0x18940c0,
retval=0x0, file_count=3) at /local/qa/5_3.gcov/Zend/zend.c:1197
#6  0x0000000000bff458 in php_execute_script (primary_file=0x7fffb30af670,
tsrm_ls=0x18940c0) at /local/qa/5_3.gcov/main/main.c:2074
#7  0x0000000000e04d76 in main (argc=61, argv=0x7fffb30af8c8) at
/local/qa/5_3.gcov/sapi/cli/php_cli.c:1130


Valgrind log:
==25793== Invalid write of size 1
==25793==    at 0x5CC414: mysqli_stmt_fetch_libmysql (mysqli_api.c:826)
==25793==    by 0x5CCC93: zif_mysqli_stmt_fetch (mysqli_api.c:984)
==25793==    by 0x9E374D: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:315)
==25793==    by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1574)
==25793==    by 0x9E21FF: execute (zend_vm_execute.h:104)
==25793==    by 0x9AD109: zend_execute_scripts (zend.c:1197)
==25793==    by 0x90F5E1: php_execute_script (main.c:2074)
==25793==    by 0xA618F0: main (php_cli.c:1130)
==25793==  Address 0x8b83368 is 0 bytes after a block of size 256 alloc'd
==25793==    at 0x4C22DAB: malloc (vg_replace_malloc.c:207)
==25793==    by 0x97D83A: _emalloc (zend_alloc.c:2285)
==25793==    by 0x5C9EBB: mysqli_stmt_bind_result_do_bind
(mysqli_api.c:407)
==25793==    by 0x5CA55C: zif_mysqli_stmt_bind_result (mysqli_api.c:499)
==25793==    by 0x9E374D: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:315)
==25793==    by 0x9EA1EE: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1574)
==25793==    by 0x9E21FF: execute (zend_vm_execute.h:104)
==25793==    by 0x9AD109: zend_execute_scripts (zend.c:1197)
==25793==    by 0x90F5E1: php_execute_script (main.c:2074)
==25793==    by 0xA618F0: main (php_cli.c:1130)
==25793==
==25793== Invalid read of size 8
==25793==    at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422)
==25793==    by 0x9A950A: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==25793==    by 0x9BE947: zend_hash_destroy (zend_hash.c:526)
==25793==    by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45)
==25793==    by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212)
==25793==    by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288)
==25793==    by 0x9DF006: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:215)
==25793==    by 0x9DEB5C: zend_objects_store_del_ref
(zend_objects_API.c:171)
==25793==    by 0x9A910B: _zval_dtor_func (zend_variables.c:52)
==25793==    by 0x99788B: _zval_dtor (zend_variables.h:35)
==25793==    by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428)
==25793==    by 0x9E26A0: zend_leave_helper_SPEC (zend_vm_execute.h:157)
==25793==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25793==
==25793== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==25793==  Access not within mapped region at address 0x0
==25793==    at 0x997C36: _zval_ptr_dtor (zend_execute_API.c:422)
==25793==    by 0x9A950A: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==25793==    by 0x9BE947: zend_hash_destroy (zend_hash.c:526)
==25793==    by 0x9D8DC3: zend_object_std_dtor (zend_objects.c:45)
==25793==    by 0x5C348B: mysqli_objects_free_storage (mysqli.c:212)
==25793==    by 0x5C38DD: mysqli_result_free_storage (mysqli.c:288)
==25793==    by 0x9DF006: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:215)
==25793==    by 0x9DEB5C: zend_objects_store_del_ref
(zend_objects_API.c:171)
==25793==    by 0x9A910B: _zval_dtor_func (zend_variables.c:52)
==25793==    by 0x99788B: _zval_dtor (zend_variables.h:35)
==25793==    by 0x997CE6: _zval_ptr_dtor (zend_execute_API.c:428)
==25793==    by 0x9E26A0: zend_leave_helper_SPEC (zend_vm_execute.h:157)


-- 
Edit bug report at http://bugs.php.net/?id=45941&edit=1
-- 
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=45941&r=trysnapshot52
Try a CVS snapshot (PHP 5.3): 
http://bugs.php.net/fix.php?id=45941&r=trysnapshot53
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=45941&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=45941&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=45941&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=45941&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=45941&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=45941&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=45941&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=45941&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=45941&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=45941&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=45941&r=globals
PHP 4 support discontinued:   http://bugs.php.net/fix.php?id=45941&r=php4
Daylight Savings:             http://bugs.php.net/fix.php?id=45941&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=45941&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=45941&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=45941&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=45941&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=45941&r=mysqlcfg

#45941 [NEW]: mysqli_stmt_fetch() crashes

Reply via email to