Bug #62273 [Asn->Opn]: Segmentation Fault in Mysqli/Mysqlnd

[andres at phalconphp dot com]

Edit report at https://bugs.php.net/bug.php?id=62273&edit=1

 ID:                 62273
 User updated by:    andres at phalconphp dot com
 Reported by:        andres at phalconphp dot com
 Summary:            Segmentation Fault in Mysqli/Mysqlnd
-Status:             Assigned
+Status:             Open
 Type:               Bug
 Package:            MySQLi related
 Operating System:   Linux/Mac
 PHP Version:        5.3.15-dev/5.3.12/5.4.5-dev
 Assigned To:        mysql
 Block user comment: N
 Private report:     N

 New Comment:

hi, is someone assigned to this?


Previous Comments:
------------------------------------------------------------------------
[2012-06-09 05:56:58] andres at phalconphp dot com

I think the problem is the mysqlnd_charsets variable in 
ext/mysqlnd/mysqlnd_charset.c:

utf8_spanish_ci is returned as code 199 by the mysql/server but in the charset 
const is:

{ 119, UTF8_MB3, UTF8_MB3"_spanish_ci", 1, 3, "", mysqlnd_mbcharlen_utf8mb3, 
check_mb_utf8mb3_valid},

Then mysqlnd_find_charset_nr is unable to find the charset name. And as a 
consequence of that, conn->charset is null producing the segmentation fault.

I'm not sure what is the right solution for this, maybe updating the charset 
code or assigning a default charset when the charset code does not match any.

------------------------------------------------------------------------
[2012-06-09 05:08:45] andres at phalconphp dot com

PHP 5.4 is also affected:

$ php -v
PHP 5.4.5-dev (cli) (built: Jun  8 2012 23:58:38) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

$ php a.php 
Segmentation fault

$ gdb --args sapi/cli/php a.php 
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/andres/php5.4-201206090330/sapi/cli/php...done.
(gdb) run 
Starting program: /home/andres/php5.4-201206090330/sapi/cli/php a.php

Program received signal SIGSEGV, Segmentation fault.
mysqlnd_cset_escape_slashes (cset=0x0, newstr=0xb7fc5884 
"|X\374\267|X\374\267\364\001", 
    escapestr=0xb7ebbc90 "1", escapestr_len=1)
    at /home/andres/php5.4-201206090330/ext/mysqlnd/mysqlnd_charset.c:719
719                     if (cset->char_maxlen > 1 && (len = 
cset->mb_valid(escapestr, end))) {

(gdb) bt
#0  mysqlnd_cset_escape_slashes (cset=0x0, newstr=0xb7fc5884 
"|X\374\267|X\374\267\364\001", 
    escapestr=0xb7ebbc90 "1", escapestr_len=1)
    at /home/andres/php5.4-201206090330/ext/mysqlnd/mysqlnd_charset.c:719
#1  0x08285111 in php_mysqlnd_conn_data_escape_string_pub (escapestr_len=1, 
    escapestr=0xb7ebbc90 "1", newstr=0xb7fc5884 "|X\374\267|X\374\267\364\001", 
conn=0xb7fc3e58)
    at /home/andres/php5.4-201206090330/ext/mysqlnd/mysqlnd.c:1470
#2  php_mysqlnd_conn_data_escape_string_pub (conn=0xb7fc3e58, 
    newstr=0xb7fc5884 "|X\374\267|X\374\267\364\001", escapestr=0xb7ebbc90 "1", 
escapestr_len=1)
    at /home/andres/php5.4-201206090330/ext/mysqlnd/mysqlnd.c:1459
#3  0x0818419c in zif_mysqli_real_escape_string (ht=2, return_value=0xb7fc35a0, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/andres/php5.4-201206090330/ext/mysqli/mysqli_api.c:1905
#4  0x083a28d8 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized 
out>)
    at /home/andres/php5.4-201206090330/Zend/zend_vm_execute.h:642
#5  0x083658ed in execute (op_array=<optimized out>)
    at /home/andres/php5.4-201206090330/Zend/zend_vm_execute.h:410
#6  0x083077db in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/andres/php5.4-201206090330/Zend/zend.c:1279
#7  0x082a8192 in php_execute_script (primary_file=0xbfffdf6c)
    at /home/andres/php5.4-201206090330/main/main.c:2473
#8  0x083a4fec in do_cli (argc=2, argv=0xbffff1f4)
    at /home/andres/php5.4-201206090330/sapi/cli/php_cli.c:988
#9  0x08066cc4 in main (argc=2, argv=0xbffff1f4)
    at /home/andres/php5.4-201206090330/sapi/cli/php_cli.c:1361

------------------------------------------------------------------------
[2012-06-09 03:48:30] andres at phalconphp dot com

Description:
------------
Hi, i'm getting a segmentation fault when executing this code:

<?php

$link = mysqli_connect("127.0.0.1", "root", "", "test");

mysqli_real_escape_string($link, "1");

Result:

Mac (Snow leopard):

[#] php a.php 
Segmentation fault

[#] php -v
PHP 5.3.12 (cli) (built: Jun  4 2012 19:51:42) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

Ubuntu (11.10):
$ php a.php 
Segmentation fault

$ php -v
PHP 5.3.15-dev (cli) (built: Jun  8 2012 22:17:40) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies



Test script:
---------------
This produces the segmentation fault:

<?php

$link = mysqli_connect("127.0.0.1", "root", "passwd", "test");

echo mysqli_real_escape_string($link, "1");

Also, this code produces a segmentation fault:

<?php

$link = mysqli_connect("127.0.0.1", "root", "passwd", "test");

printf("Current character set: %s\n", mysqli_character_set_name($link));

Investigating more deeply, I resolved the problem by removing this from my.cnf:

character-set-server = utf8
collation-server = utf8_spanish_ci

Using latin1 and latin_swedish_ci, works fine,

This is my ./configure command on Linux:

./configure --enable-cli --with-mysqli=mysqlnd --disable-xmlreader 
--disable-xmlwriter --with-apxs2=/usr/bin/apxs2 --with-config-file-path=/etc 
--enable-mysqlnd

This is the mysqli/mysqlnd part of the phpinfo():

mysqli

MysqlI Support => enabled
Client API library version => mysqlnd 5.0.8-dev - 20102224 - $Id: 
65fe78e70ce53d27a6cd578597722950e490b0d0 $
Active Persistent Links => 0
Inactive Persistent Links => 0
Active Links => 0

Directive => Local Value => Master Value
mysqli.allow_local_infile => On => On
mysqli.allow_persistent => On => On
mysqli.default_host => no value => no value
mysqli.default_port => 3306 => 3306
mysqli.default_pw => no value => no value
mysqli.default_socket => no value => no value
mysqli.default_user => no value => no value
mysqli.max_links => Unlimited => Unlimited
mysqli.max_persistent => Unlimited => Unlimited
mysqli.reconnect => Off => Off

mysqlnd

mysqlnd => enabled
Version => mysqlnd 5.0.8-dev - 20102224 - $Id: 
65fe78e70ce53d27a6cd578597722950e490b0d0 $
Compression => not supported
SSL => supported
Command buffer size => 4096
Read buffer size => 32768
Read timeout => 31536000
Collecting statistics => Yes
Collecting memory statistics => Yes
Tracing => n/a

$ mysql --version
mysql  Ver 14.14 Distrib 5.1.62, for debian-linux-gnu (i686) using readline 6.2

[#] mysql --version
mysql  Ver 14.14 Distrib 5.1.62, for apple-darwin10.8.0 (i386) using readline 
6.2


Expected result:
----------------
In the first program, 1 as output, in the second program: Current character 
set: utf8



Actual result:
--------------
For:

<?php

$link = mysqli_connect("127.0.0.1", "root", "hea101", "demo");

printf("Current character set: %s\n", mysqli_character_set_name($link));

This is the backtrace:

(gdb) run a.php
Starting program: /opt/local/bin/php a.php
Reading symbols for shared libraries .+++++++++ done
Reading symbols for shared libraries . done

...

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000008
0x000000010016ad0b in php_mysqlnd_conn_charset_name_pub ()
(gdb) bt
#0  0x000000010016ad0b in php_mysqlnd_conn_charset_name_pub ()
#1  0x0000000103193015 in zif_mysqli_character_set_name ()
#2  0x0000000100232d3a in zend_do_fcall_common_helper_SPEC ()
#3  0x0000000100207abb in execute ()
#4  0x00000001001df88b in zend_execute_scripts ()
#5  0x0000000100186c32 in php_execute_script ()
#6  0x0000000100271ed5 in main ()
(gdb)

And for: 

<?php

$link = mysqli_connect("127.0.0.1", "root", "hea101", "demo");

mysqli_real_escape_string($link, "1");

This is the backtrace:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x000000000000001c
0x000000010016fab0 in mysqlnd_cset_escape_slashes ()
(gdb) bt
#0  0x000000010016fab0 in mysqlnd_cset_escape_slashes ()
#1  0x0000000103193aa1 in zif_mysqli_real_escape_string ()
#2  0x0000000100232d3a in zend_do_fcall_common_helper_SPEC ()
#3  0x0000000100207abb in execute ()
#4  0x00000001001df88b in zend_execute_scripts ()
#5  0x0000000100186c32 in php_execute_script ()
#6  0x0000000100271ed5 in main ()
(gdb)




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62273&edit=1