ID: 34731
User updated by: novicky at aarongroup dot cz
Reported By: novicky at aarongroup dot cz
-Status: Feedback
+Status: Open
Bug Type: OCI8 related
Operating System: All
PHP Version: 5CVS-2005-10-04 (CVS)
Assigned To: tony2001
New Comment:
It is hard to reproduce but working on deallocated memory blocks is
extremely dangerous. We had problems with segmentation faults on
Sparc/Solaris 9.
Have a look on following code coming from oci8.c - first a session
pointer is inserted into the list zend_list_insert(), while few lines
bellow the session structure is copied into a new location
zend_llist_add_element() and the original memory block is deallocated
by efree(). Thus destructor applied on list would work on deallocated
memory!!!
session->num = zend_list_insert(session, le_session);
session->is_open = 1;
mutex_lock(mx_lock);
num_links++;
if (!exclusive) {
zend_llist_add_element(session_list, session);
efree(session);
session = (oci_session*) session_list->tail->data;
num_persistent++;
}
mutex_unlock(mx_lock);
oci_debug("_oci_open_session new sess=%d
user=%s",session->num,username);
return session;
Previous Comments:
------------------------------------------------------------------------
[2005-10-04 18:48:20] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc.
If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.
------------------------------------------------------------------------
[2005-10-04 18:29:23] [EMAIL PROTECTED]
Assigned to the maintainer.
------------------------------------------------------------------------
[2005-10-04 15:59:20] novicky at aarongroup dot cz
Description:
------------
There is an incorrect session destructor registration. The pointer
registered by zend_list_insert points to a memory block which is then
released by efree. This can lead to segmentation fault when destructor
is called. A proposed patch follows (the same problem is id development
branch)
--- php5-STABLE-200510041238/ext/oci8/oci8.c.ORIG 2005-10-04
15:39:42.301952856 +0200
+++ php5-STABLE-200510041238/ext/oci8/oci8.c 2005-10-04
15:40:58.979935427 +0200
@@ -2879,7 +2879,6 @@
)
);
- session->num = zend_list_insert(session, le_session);
session->is_open = 1;
mutex_lock(mx_lock);
@@ -2892,6 +2891,7 @@
}
mutex_unlock(mx_lock);
+ session->num = zend_list_insert(session, le_session);
oci_debug("_oci_open_session new sess=%d
user=%s",session->num,username);
return session;
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=34731&edit=1
