ID: 38710
Updated by: [EMAIL PROTECTED]
Reported By: domas at mysql dot com
-Status: Open
+Status: Assigned
Bug Type: MySQLi related
Operating System: Any
PHP Version: 5.1.6
-Assigned To:
+Assigned To: andrey
Previous Comments:
------------------------------------------------------------------------
[2006-09-04 10:35:58] domas at mysql dot com
#0 0x007c758c in memcpy () from /lib/tls/libc.so.6
#1 0x081b6d91 in _estrndup ()
#2 0x05698383 in zif_mysqli_stmt_fetch (ht=147132188,
return_value=0x8c420bc, return_value_ptr=0x0,
this_ptr=0x8c50f1c, return_value_used=0)
at /usr/src/redhat/BUILD/php-5.1.6/ext/mysqli/
mysqli_api.c:717
#3 0x081e9a81 in zend_do_fcall_common_helper_SPEC ()
#4 0x081e93bb in execute ()
#5 0x081ce2e0 in zend_execute_scripts ()
#6 0x08192006 in php_execute_script ()
#7 0x00000000 in ?? ()
------------------------------------------------------------------------
[2006-09-04 10:34:02] domas at mysql dot com
Description:
------------
If function is executed in a prepared statement (like CONCAT,
UNCOMPRESS, etc), it allocates 8192-sized buffer, but fetch()
doesn't check actual length of data. If data crosses 8192-byte
boundary, all sorts of weird stuff starts to happen, including
possible sensitive data disclosures of non-overwrited buffers
(at smaller lengths) or process crashes (at bigger ones).
Reproduce code:
---------------
$db=new mysqli("localhost","root","","test");
$qry=$db->stmt_init();
$qry->prepare("SELECT REPEAT('a',100000)");
$qry->execute();
$qry->bind_result($text);
$qry->fetch();
Expected result:
----------------
silence
Actual result:
--------------
crash!
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=38710&edit=1
