ID: 38710 Updated by: [EMAIL PROTECTED] Reported By: domas at mysql dot com Status: Assigned Bug Type: MySQLi related Operating System: Any PHP Version: 5.1.6 Assigned To: andrey New Comment:
see also http://bugs.mysql.com/bug.php?id=22001 Previous Comments: ------------------------------------------------------------------------ [2006-09-04 10:35:58] domas at mysql dot com #0 0x007c758c in memcpy () from /lib/tls/libc.so.6 #1 0x081b6d91 in _estrndup () #2 0x05698383 in zif_mysqli_stmt_fetch (ht=147132188, return_value=0x8c420bc, return_value_ptr=0x0, this_ptr=0x8c50f1c, return_value_used=0) at /usr/src/redhat/BUILD/php-5.1.6/ext/mysqli/ mysqli_api.c:717 #3 0x081e9a81 in zend_do_fcall_common_helper_SPEC () #4 0x081e93bb in execute () #5 0x081ce2e0 in zend_execute_scripts () #6 0x08192006 in php_execute_script () #7 0x00000000 in ?? () ------------------------------------------------------------------------ [2006-09-04 10:34:02] domas at mysql dot com Description: ------------ If function is executed in a prepared statement (like CONCAT, UNCOMPRESS, etc), it allocates 8192-sized buffer, but fetch() doesn't check actual length of data. If data crosses 8192-byte boundary, all sorts of weird stuff starts to happen, including possible sensitive data disclosures of non-overwrited buffers (at smaller lengths) or process crashes (at bigger ones). Reproduce code: --------------- $db=new mysqli("localhost","root","","test"); $qry=$db->stmt_init(); $qry->prepare("SELECT REPEAT('a',100000)"); $qry->execute(); $qry->bind_result($text); $qry->fetch(); Expected result: ---------------- silence Actual result: -------------- crash! ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38710&edit=1
