Bug #63075 [Opn]: PHP Segfault in PDO ODBC Execute

[Ew6jQ8tSJhf3 at dyweni dot com]

Edit report at https://bugs.php.net/bug.php?id=63075&edit=1

 ID:                 63075
 User updated by:    Ew6jQ8tSJhf3 at dyweni dot com
 Reported by:        Ew6jQ8tSJhf3 at dyweni dot com
 Summary:            PHP Segfault in PDO ODBC Execute
 Status:             Open
 Type:               Bug
 Package:            PDO related
 Operating System:   Linux x86_64 (CentOS 5.8 final)
 PHP Version:        5.4.6
 Block user comment: N
 Private report:     N

 New Comment:

I tested the 5.3.16-1.ius.el5 version of PHP from the IUS repository... These 
have the same issue.

I tested the 5.3.3-13.el5_8 version of PHP from the CentOS5 Updates 
repository... These work OK.


Previous Comments:
------------------------------------------------------------------------
[2012-09-12 19:22:30] Ew6jQ8tSJhf3 at dyweni dot com

Breaking GDB at /usr/src/debug/php-5.4.6/ext/pdo/pdo_stmt.c:514:


(gdb) p stmt
$6 = (pdo_stmt_t *) 0x2aaaab283960
(gdb) p *stmt
$7 = {std = {ce = 0xbbd490, properties = 0x0, properties_table = 
0x2aaaab284440, guards = 0x0}, methods = 0x2aaab09b9640, driver_data = 
0x2aaaab283ad8, executed = 0, 
supports_placeholders = 2, _reserved = 0, column_count = 0,
  columns = 0x0, database_object_handle = {value = {lval = 46909632806913, dval 
= 2.3176438028923198e-310, str = {val = 0x2aaa00000001 <Address 0x2aaa00000001 
out of 
bounds>, len = -1336223392}, ht = 0x2aaa00000001, obj = {handle = 1,
        handlers = 0x2aaab05ad960}}, refcount__gc = 2, type = 5 '\005', 
is_ref__gc = 0 '\000'}, dbh = 0x2aaaab2842b0, bound_params = 0x0, 
bound_param_map = 0x0, 
bound_columns = 0x0, row_count = 0,
  query_string = 0x2aaaab284c20 "SELECT fid, original_filename, dateUploaded, 
filesize, client FROM upload ORDER BY dateUploaded DESC", query_stringlen = 
100, 
active_query_string = 0x0, active_query_stringlen = 0, error_code = "00000",
  lazy_object_ref = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, 
ht = 0x0, obj = {handle = 0, handlers = 0x0}}, refcount__gc = 0, type = 0 
'\000', is_ref__gc 
= 0 '\000'}, refcount = 1, default_fetch_type = PDO_FETCH_BOTH,
  fetch = {column = 0, cls = {ce = 0x0, ctor_args = 0x0, retval_ptr = 0x0, fci 
= {size = 0, function_table = 0x0, function_name = 0x0, symbol_table = 0x0, 
retval_ptr_ptr = 
0x0, param_count = 0, params = 0x0, object_ptr = 0x0,
        no_separation = 0 '\000'}, fcc = {initialized = 0 '\000', 
function_handler = 0x0, calling_scope = 0x0, called_scope = 0x0, object_ptr = 
0x0}}, func = {function = 
0x0, fetch_args = 0x0, object = 0x0, fci = {size = 0,
        function_table = 0x0, function_name = 0x0, symbol_table = 0x0, 
retval_ptr_ptr = 0x0, param_count = 0, params = 0x0, object_ptr = 0x0, 
no_separation = 0 '\000'}, 
fcc = {initialized = 0 '\000', function_handler = 0x0,
        calling_scope = 0x0, called_scope = 0x0, object_ptr = 0x0}, values = 
0x0}, into = 0x0}, named_rewrite_template = 0x0}


(gdb) n
515                     if (stmt->active_query_string && 
stmt->active_query_string != stmt->query_string) {


(gdb) p stmt
$12 = (pdo_stmt_t *) 0x2aaaffffffff
(gdb) p *stmt
Cannot access memory at address 0x2aaaffffffff

------------------------------------------------------------------------
[2012-09-12 19:17:09] Ew6jQ8tSJhf3 at dyweni dot com

Description:
------------
PHP 5.4.6
Microsoft SQL Server ODBC Driver V1.0 for Linux

PHP Segfaults while executing the call '$sth->execute()'

GDB Backtrace is:


Program received signal SIGSEGV, Segmentation fault.
zim_PDOStatement_execute (ht=<value optimized out>, 
return_value=0x2aaaab284210, 
return_value_ptr=<value optimized out>, 
this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /usr/src/debug/php-5.4.6/ext/pdo/pdo_stmt.c:515
515                     if (stmt->active_query_string && stmt-
>active_query_string != stmt->query_string) {
(gdb) bt
#0  zim_PDOStatement_execute (ht=<value optimized out>, 
return_value=0x2aaaab284210, return_value_ptr=<value optimized out>, 
this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /usr/src/debug/php-5.4.6/ext/pdo/pdo_stmt.c:515
#1  0x00000000006005e5 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x2aaaab250060) at /usr/src/debug/php-
5.4.6/Zend/zend_vm_execute.h:642
#2  0x000000000060643e in execute (op_array=0x2aaaab282fc8) at 
/usr/src/debug/php-5.4.6/Zend/zend_vm_execute.h:410
#3  0x00000000005d1a8e in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /usr/src/debug/php-5.4.6/Zend/zend.c:1289
#4  0x0000000000576c38 in php_execute_script (primary_file=0x7fffffffc190) at 
/usr/src/debug/php-5.4.6/main/main.c:2473
#5  0x00000000006785ed in do_cli (argc=2, argv=0x7fffffffd4b8) at 
/usr/src/debug/php-5.4.6/sapi/cli/php_cli.c:988
#6  0x0000000000678f6d in main (argc=2, argv=0x7fffffffd4b8) at 
/usr/src/debug/php-5.4.6/sapi/cli/php_cli.c:1364


Valgrind Output is:

==9423== Memcheck, a memory error detector
==9423== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==9423== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==9423== Command: php test.php
==9423==
==9423== Invalid read of size 8
==9423==    at 0xA7588B4: zim_PDOStatement_execute (pdo_stmt.c:515)
==9423==    by 0x6005E4: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==9423==    by 0x60643D: execute (zend_vm_execute.h:410)
==9423==    by 0x5D1A8D: zend_execute_scripts (zend.c:1289)
==9423==    by 0x576C37: php_execute_script (main.c:2473)
==9423==    by 0x6785EC: do_cli (php_cli.c:988)
==9423==    by 0x678F6C: main (php_cli.c:1364)
==9423==  Address 0x10000008f is not stack'd, malloc'd or (recently) free'd
==9423==
==9423==
==9423== Process terminating with default action of signal 11 (SIGSEGV)
==9423==  Access not within mapped region at address 0x10000008F
==9423==    at 0xA7588B4: zim_PDOStatement_execute (pdo_stmt.c:515)
==9423==    by 0x6005E4: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==9423==    by 0x60643D: execute (zend_vm_execute.h:410)
==9423==    by 0x5D1A8D: zend_execute_scripts (zend.c:1289)
==9423==    by 0x576C37: php_execute_script (main.c:2473)
==9423==    by 0x6785EC: do_cli (php_cli.c:988)
==9423==    by 0x678F6C: main (php_cli.c:1364)
==9423==  If you believe this happened as a result of a stack
==9423==  overflow in your program's main thread (unlikely but
==9423==  possible), you can try to increase the size of the
==9423==  main thread stack using the --main-stacksize= flag.
==9423==  The main thread stack size used in this run was 10485760.
==9423==
==9423== HEAP SUMMARY:
==9423==     in use at exit: 4,021,443 bytes in 19,132 blocks
==9423==   total heap usage: 22,569 allocs, 3,437 frees, 5,755,940 bytes 
allocated




Test script:
---------------
<?php

$pdo = new PDO('odbc:TestDB', "TestUser", "TestPassword");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$stmt = 'SELECT fid, original_filename, dateUploaded, filesize, client FROM 
upload ORDER BY dateUploaded DESC';
$sth = $pdo->prepare($stmt);
$sth->execute();
var_dump($sth->fetchAll());





Expected result:
----------------
The script should output the results from $sth->fetchAll.

Actual result:
--------------
The script crashes with a Segmentation Fault.



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=63075&edit=1